Malware Removal

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Texaslg, Sep 25, 2011.

  1. Texaslg

    Texaslg Private E-2

    Hi, I have read and completed the R&R Malware Removal guide and I have attached my logs. I was not able to run the RootRepeal (it is a .rar file and wanted me to select a program to run) or the MGTools.exe (the folder is located on my C drive but when I double-click on the icon and then run, nothing happens). Also, when I ran the combo fix it never disconnected me from the internet like it said would happen. I didn't have any programs running or open while combofix was running but after the fact i opened internet explorer (trying to run RootRepeal) and it crashed.

    The Super AntiSpyware was the only program that found "potentially harmful" files but previous to finding your website I ran Spybot and it came across 70+ possibly harmful files.

    Thanks for your help.
     

    Attached Files:

    Texaslg, Sep 25, 2011
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    What malware problems brought you here to begin with.

    Let's try to debug this.

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    analyse <-- this will try to run TrendMicro Hijackthis. Click Twice on the Accept button to accept the license agreement if it shows. Then run a scan and save a log. Tell me what error messages, if any, you see.
    GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
    Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.
     
    chaslang, Sep 25, 2011
    #2
  3. Texaslg

    Texaslg Private E-2

    Thanks, so far this site has been really helpful.

    I wasn't openly aware of any malware to begin with but I had opened an email from a reliable friend but as soon as I did so, I could tell something wasn't right. I later mentioned this to him and he confirmed that he had somehow got a virus (keystroke/password tracker) that went out to all his email contacts. Since then I have had 2 incidents of credit card fraud and other accounts being accessed from a user other than myself. I dont have any confirmation of malware on my computer other than what Spybot has picked up, mainly tracking cookies and what SuperAntispyware found. Being that I am not very familiar with this issue, I do not know the severity of these supposed harmful files.

    I have not received any error messages for the above tasks but after running getrunkey, the prompt C:\MGTools did not appear again for me to enter ShowNew. Although the runkeys.txt file did show up in notepad. Is it still running or do I just need to go back to cmd and start again at ShowNew?

    I attached a screen shot, as well as my previous log for Spybot. This was run before I started on this forum so it will show what was found prior to my logs following the R&R doc.

    Thank you so much for the help!
     

    Attached Files:

    Texaslg, Sep 25, 2011
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Cookies are not problems. And nothing that SUPERAntiSpyware found were problems. Those are false detections.

    Just close the notepad windows that popup and continue.

    Of what?
     
    chaslang, Sep 25, 2011
    #4
  5. Texaslg

    Texaslg Private E-2

    Disregard the screen shot, I just closed notepad and continued. Attached are the logs.
     

    Attached Files:

    Texaslg, Sep 25, 2011
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    All of your logs thus far are clean. Let's run two more scans just to be safe.


    Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller



    Now please also download MBRCheck to your desktop.

    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
    chaslang, Sep 26, 2011
    #6
  7. Texaslg

    Texaslg Private E-2

    Attached are the 2 logs. If nothing substantial is found from these reports, would you say my computer is fairly safe?
     

    Attached Files:

    Texaslg, Sep 26, 2011
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The driver you quarantined ( cvpndrva.sys ) is a legitimate component of Cisco Systems VPN Client. Do you use this? You will need to restore it if it was deleted.


    Yes your logs are all clean so you should be okay.


    Since you are not having malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Sep 26, 2011
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds