Lots of Stuff found...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Snarfs, Apr 27, 2009.

  1. Snarfs

    Snarfs Private E-2

    Hello,
    I made my way to these forums after the following:

    While editing several php files in Notepad++ and running a couple websites in Firefox (none of which had caused problems in the past) I received an unexpected popup telling me that Internet Explorer was not my default browser and asking if I wanted to make it so. Shortly after this popup, another message popped up saying that Google toolbar had been successfully installed. I knew at this point something was definitely up, but the real kick in the pants was the system tray icon appearing, telling me I had been infected and to go to "this" website to download their super awesome anti-spyware tool rolleyes.

    Edit: Note, "this" website meaning some site which undoubtedly would have been bad to click on, NOT majorgeeks.com

    Since I haven't really cleaned my computer (read: run a virus scan) in about 6 months, I figured I'd have some issues. I was right.

    I'll attach the logs from the sticky along with these notes:

    When I got to Step 2 (Enabling view of hidden files and system folders), I was not presented with the Folder Options option under Tools in Windows Explorer; just these three options: Map Network Drive, Disconnect Network Drive, and Synchronize.... However, now the option has returned (woot! Something good has already happened!)

    The second note is this: While running SUPERAntiSpyware, a popup window appeared during the removal/quarantine which informed me some system file had been deleted and that my computer was going to be forced to reboot in 60seconds. Low and behold, 60 seconds later everything is forced to shut down and my computer restarts. This was not part of SAS, but I'm pretty sure the removal/quarantine was able to finish, but I can't be positive.


    So now I'm not too sure everything's fixed, but since my computer was so f... hurt... I'd like to be safe and would greatly appreciate an expert's help :)

    Thank you in advance,
    Snarfs
     

    Attached Files:

    Snarfs, Apr 27, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks like the scans took care of most of the malware. Let's just have you do this:

    Use windows explorer to find and delete:
    c:\windows\system32\loader49.exe
    C:\Program Files\Mozilla Firefox\extensions\{422E76B4-3BF5-4626-9E3D-BD23AA810269}\chrome\content\overlay.xul

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 30, 2009
    #2
  3. Snarfs

    Snarfs Private E-2

    I deleted the two files and ran CCleaner as you said. When I try to run GetLogs.bat it appears to freeze. I remember it did this when I first ran it, but I found a way to get the logs anyways.. I think I had to try the MGtools.exe a couple times, but now neither the GetLogs.bat nor the MGtooles.exe seems to work.

    Thanks for your help thus far :)
     
    Snarfs, Apr 30, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Try renaming MGTools.exe to MGTools.com and see if it will run.

    Also re-run Combo and attach both logs if you can.
     
    TimW, May 3, 2009
    #4
  5. Snarfs

    Snarfs Private E-2

    That worked, thanks.

    Here are the new logs.

    Again, thanks for the help.
     

    Attached Files:

    Snarfs, May 9, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks good. Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, May 13, 2009
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds