Heavily Infected PC (Different Computer)!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by MisuzuKamio, Jul 6, 2009.

  1. MisuzuKamio

    MisuzuKamio Private E-2

    I am trying to clean out a pretty old PC that my mom would like to have and also have it connected to the internet through a router connection from my other computer. However, this computer I am on is heavily infected, so I have to make sure it's clean so it doesn't infect both our computers. =o

    Problems I am having:
    I haven't really used this computer in about 2.5 years and well it's pretty old altogether. I upgraded this computer from Windows 98 to Windows XP without wiping the harddrive and without converting file systems (it's still FAT32). Since then, I haven't been fully able to uninstall Norton and a few other programs (if you are wondering why it still has traces on this computer).

    My real problems began when someone I know lead me to a free anti-virus site called StopSign by eAcceleration and it sounded like a legit AV program before I knew anything about computers... rolleyes Boy, was I wrong! They claim to be legit now, but obviously I'll never go back to them.

    Computer Problems Remaining After Running The Read Me Guide:
    - Error at startup from the rogue software that says: "Your StopSign installation has been corrupted. Reinstalling may fix the problem. To redownload the software, please visit: [insert malware link]" If you continue to experience this error, you may have other software installed that conflicts with StopSign. Please contact StopSign Support for further assistance."
    - Red balloon with an X in the taskbar at startup says: "Your computer might be at risk - Stop Sign Free Trial Diagnostic Version is turned off. Click this balloon to fix this problem." It still shows that the rogue software StopSign is my main Anti-virus program.
    - Computer runs very slow
    - Unable to degfag even when I have plenty of free space

    At this rate... I might be better off doing a clean install of XP and wiping everything on this one, but I will see if I can save myself some money for now because I'd have to buy a new XP disk and if my memory serves correctly they are pretty pricey.

    I ran Spybot before I started the read me and it picked up some traces of eAcceleration/StopSign, but I don't think it was able to remove them. I haven't re-run it since I started the Read Me.

    Anyway, attached are 4 logs. The last will be in a separate post. :) Thanks!
     

    Attached Files:

    MisuzuKamio, Jul 6, 2009
    #1
  2. MisuzuKamio

    MisuzuKamio Private E-2

    And finally, my SAS log. Thank you.
     

    Attached Files:

    MisuzuKamio, Jul 6, 2009
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there -

    I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Thankyou for your patience during this time.

    Kestrel13!
     
    Kestrel13!, Jul 7, 2009
    #3
  4. MisuzuKamio

    MisuzuKamio Private E-2

    Hi Kestrel13! No problem. Thank you especially for taking the time to help me out! ^_^ I'll check the thread whenever I can and get back to you as quick as I can when you reply.

    (On an off-topic note: I really like your icon. Elfen Lied is a great anime. :) )
     
    MisuzuKamio, Jul 7, 2009
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Thankyou! :) Okay let's get to doing the below:

    ......................

    1. If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    2. This will take care of remnants from Norton's:

    First please uninstall the below software:



    Next...

    Now give the Norton Removal Tool (SymNRT) a run > reboot your machine and then run it again for good measure.


    3. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    After clicking Fix exit HJT.

    4. Now we need to use ComboFix to remove a bunch of malware files.

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it
    (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
eac_productsvc
eac_notifysvc

Folder::
c:\program files\Acceleration Software
c:\program files\eAcceleration
c:\program files\SpyHunter
c:\program files\Viewpoint

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"ccApp"=-
"ccRegVfy"=-
"SpyHunter"=-
"EnigmaPopupStop"=-
"ViewMgr"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    5. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

    6. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
    Kestrel13!, Jul 9, 2009
    #5
  6. MisuzuKamio

    MisuzuKamio Private E-2

    Wow, thanks for all of that! I'm so happy: it fixed most of the problems and so far, my computer is running considerably better! :)

    Here are my remaining problems and concerns:

    1) SpyBot is still picking up adware called "Right Media" (Cookie: user @ad.yieldmanager.com/) for IE. I click to fix it, but it still comes back after I restart. There is a jpeg picture of what it found in the attachments if you want to see exactly what it is.

    2) On IE in the toolbar I see two icons that I don't remember seeing on my other computer with the Yahoo! Toolbar. One states that "44 popups are blocked" and another one next to it says "Anti-spy." The picture is attached. It could be just the Yahoo toolbar but it also could be related to that adware cookie.

    3) At startup, the error message about eAcceleration is gone (yay! :)) and so is the balloon that says StopSign is turned off. However, now the red balloon pops up and says no anti-virus is installed at all. When I click it, it says no AV software could be detected and I should install one. I have Avast! installed and everything looks like it's turned on correctly, but this makes me worry that it's not installed correctly.

    4) I have an icon on my desktop left from eAccelaeration saying "Scan now for viruses and threats." Can I delete it safely? I'm afraid to even click the icon in fear that it will infect the computer again. =O

    5) When I press crtl+alt+del it says my CPU usage is 100%. After a while it goes down and toggles between about 56% and 80%. My computer does run slow and I'm planning to uninstall even more software I won't be using. It's probably because it's old and it might not even be related to viruses at all, but definitely worth mentioning just in case. :D

    I think that is all of the remaining problems/concerns. I haven't tried de-fragmenting now that StopSign seems to be gone (Woooot!), but I will try it out right now.

    Attached are the logs you requested and the two pictures I mentioned. Thanks so much and I look forward to your next reply! :)
     

    Attached Files:

    MisuzuKamio, Jul 9, 2009
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there! Just a little more tidying up to do and we are done! :)

    1. Please use Windows Explorer to find and delete the below folder:

    Folder -
    c:\windows\47D5D869FE574F2FA35883CFAA7B4968.TMP

    2. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    3. and finally...

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jul 14, 2009
    #7
  8. MisuzuKamio

    MisuzuKamio Private E-2

    Hey Kestrel,

    Sorry it took me so long to get back to you. It's been a hectic few days.

    I did all the steps. :) I ran a few more scans and SAS picked up PEV.exe and I quarantined it. I deleted my cookies and the "bad cookie" went bye bye. :) I'm having a few problems, but I think they are not related to malware: clock keeps changing, disk defrag gets stuck, and so on. I'll post in the hardware section or another part of the forums about those. Can I safely delete the eAccelaeration icon on my desktop though?

    Anyways, I think I am all set now. Thank you very very much for all of your help! ^_^
     
    MisuzuKamio, Jul 16, 2009
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Not a problem. Just complete my final seps as requested.

    Yes, you can safely delete the icon for eacceleration from your desktop :)
     
    Kestrel13!, Jul 16, 2009
    #9
  10. MisuzuKamio

    MisuzuKamio Private E-2

    All the steps in your post have been completed and I will delete the icon from my desktop. Again, thank you very much! :) I appreciate it a lot.
     
    MisuzuKamio, Jul 16, 2009
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are very welcome :)
     
    Kestrel13!, Jul 16, 2009
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds