My experience on Malware Removal Guide, Needs Advice!

Hello majorgeeks support,

This is my first time here & bumped to this site "googling" for how to remove Trojan. I have Advanced System Care (ASC) Pro 4.0 & AVG Internet Security 2011, 30 day trial. I used Windows 7 Home Premium, 64-bit. I scanned fully my whole PC with those 2 softwares. What I found that ASC cannot remove other infections while AVG can and vice versa.

Everytime I quick scan my computer with ASC, I can read Trojan.Win32, Trojan Vundo, Adware, etc... Thus, I followed the instructions of the Sticky Post "Read & Run Me First Malware Removal Guide."

I completed all the steps until Step 8 without knowing if the Trojan & other spywares are still there. While doing this process, the SuperAntiSpyware detected 2 Trojan.Win32/Agent while MalwareByte's AntiMalware detected 2 hijacker.

Since I completed till the last step, I want to ask two things:

1. am I safe that trojan & other infections are no longer there? The reason I ask this, I again use ASC after completing step 8, but trojan agent, trojan vundo & others trojan are still there.
   
2. Is AVG Full internet security 2011 enough for anti-virus, anti-spyware, and firewall? The reason I ask because the guide said, ensure that you only use one software for antivirus, anti-spyware & firewall.
   
3. Lastly, I am using those 2, do I really need to use the anti-virus, anti-spyware, firewall & CCleaner (I use TFC for Temp File Cleaner) that are suggested in the guide? The reason I ask, it seems ASC & AVG did not really get the infections, as well as, I don't know if ASC can really optimize my computer. My computer is just a year old with Windows 7 and always running fast.

I attached the logs as stated on the guide for your team to check.

Thanks a lot for your help.

Best & kind regards.

 

Welcome to Major Geeks

I'm currently working through your logs and will get back to you as soon as I have time to finishing going thru all of the information. Please be patient as there is a lot of information to check.

 

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - (no file)
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - (no file)

After clicking Fix exit HJT.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::


File::
C:\Users\Maria Mazari\AppData\Local\Temp-9999


FileLook::
C:\Windows\System32\drivers\bwaut.sys


DirLook::
c:\users\Maria Mazari\AppData\Local\bhw


Folder::
C:\Users\Maria Mazari\AppData\Local\{01F83EA8-668E-42ED-BDC2-A078D85A349F}
C:\Users\Maria Mazari\AppData\Local\{01F8B34D-65AA-46D4-A2EB-1EDC153077D7}
C:\Users\Maria Mazari\AppData\Local\{02ACADC4-7E94-4A68-866E-D1F4A0A4EC22}
C:\Users\Maria Mazari\AppData\Local\{04C703BA-F703-4773-96E9-ABA4747F17CE}
C:\Users\Maria Mazari\AppData\Local\{07173BD7-C6C6-4185-A00F-133017445935}
C:\Users\Maria Mazari\AppData\Local\{12CB5045-4F5B-4E73-9499-845665022935}
C:\Users\Maria Mazari\AppData\Local\{2D3F1F0F-966D-4334-B6CD-76B4DACF3FCF}
C:\Users\Maria Mazari\AppData\Local\{35FE4DA0-2596-4B2B-9CD9-CB3F39ABD95F}
C:\Users\Maria Mazari\AppData\Local\{430AA61F-229E-4205-BEAA-881745D0F444}
C:\Users\Maria Mazari\AppData\Local\{4A0472D3-657D-4E19-B827-CC3172598266}
C:\Users\Maria Mazari\AppData\Local\{50B25B10-2D2B-4EA2-AFD4-43E88828C708}
C:\Users\Maria Mazari\AppData\Local\{5E80284B-9703-48D0-8AF3-1D34FF98E49C}
C:\Users\Maria Mazari\AppData\Local\{5E937FB0-B9E2-4CE6-982A-C91F857488DD}
C:\Users\Maria Mazari\AppData\Local\{65EAF470-7549-447A-A2B2-D12853C134F8}
C:\Users\Maria Mazari\AppData\Local\{689A1A40-7379-4856-ABB7-3322CB9E7286}
C:\Users\Maria Mazari\AppData\Local\{68AE9896-7F31-411D-A3FB-76D24B77B4A8}
C:\Users\Maria Mazari\AppData\Local\{6DFDBB86-468B-444F-91E2-5D5A870E6E4E}
C:\Users\Maria Mazari\AppData\Local\{7239F782-EC89-407F-A001-7A1FB20CB3DC}
C:\Users\Maria Mazari\AppData\Local\{76ADE7EB-A311-4CC8-A4AC-43C6282474F6}
C:\Users\Maria Mazari\AppData\Local\{773F93A8-4762-4C43-A77F-2F128FD9EDC4}
C:\Users\Maria Mazari\AppData\Local\{7AA32EB8-8387-4CDF-B111-1F14ABF32ED7}
C:\Users\Maria Mazari\AppData\Local\{8B9772B5-0611-43EE-85A7-640C8E8DEAFC}
C:\Users\Maria Mazari\AppData\Local\{8BB3B55A-919B-4465-B541-54BE5A5BDBB0}
C:\Users\Maria Mazari\AppData\Local\{9829638C-55EA-4B0D-9EE6-FEF8FD03B032}
C:\Users\Maria Mazari\AppData\Local\{98EA71A6-3B80-4FE3-A03E-7F9869F9541E}
C:\Users\Maria Mazari\AppData\Local\{9CD9DFE8-3520-4F97-AB4C-2F54A70D616A}
C:\Users\Maria Mazari\AppData\Local\{AC56E5E3-EDA1-4D6C-BDA3-44F5B4662E52}
C:\Users\Maria Mazari\AppData\Local\{B014692E-C68D-4E34-874C-1755BE467237}
C:\Users\Maria Mazari\AppData\Local\{B9B8B733-09E0-4AE6-8C3E-AAE86893F68E}
C:\Users\Maria Mazari\AppData\Local\{BDC0592F-B81E-4F0A-994A-E33971F1742C}
C:\Users\Maria Mazari\AppData\Local\{CE5C26F2-B715-47B3-9855-FADD9E7CF337}
C:\Users\Maria Mazari\AppData\Local\{D1B9C735-446F-4500-8834-59F12AA58E99}
C:\Users\Maria Mazari\AppData\Local\{D5DCADE1-FC11-434E-AC80-F67FE417CC08}
C:\Users\Maria Mazari\AppData\Local\{DE62B68E-0441-4FEC-891C-CA9654954718}
C:\Users\Maria Mazari\AppData\Local\{E157A68E-668D-4427-A166-4ACFEB39C396}
C:\Users\Maria Mazari\AppData\Local\{E5502F19-25FC-4CC8-BA87-8EFC91167303}
C:\Users\Maria Mazari\AppData\Local\{E5EEAE93-14FB-44A1-9537-324569174723}
C:\Users\Maria Mazari\AppData\Local\{EED57251-1567-495A-880E-1A1451BDD74E}
C:\Users\Maria Mazari\AppData\Local\{F193D360-410E-4A92-91F7-48C5A68E0C57}
C:\Users\Maria Mazari\AppData\Local\{F6E47809-2E01-451B-8EC5-8F58E1DDAA74}
C:\Users\Maria Mazari\AppData\Local\{F973E100-F8CA-4775-AEEC-C676799DB122}
C:\Users\Maria Mazari\AppData\Local\{FDFEAE6D-E564-43B7-A3D6-CDB6B668BBB3}
C:\Users\Maria Mazari\AppData\Local\{FF2BA43F-9DBA-4376-8064-54870860558A}

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Hello Thisisu,

Thanks a lot for your help. I did everything as you instructed. Attached herewith are the two log files.

After I did everything and rebooted the machine, I used Advanced System Care Pro (ASC) to scan and see if Trojans are still there. Indeed, I can still read Trojan Agent, Trojan Vundo, Adware, etc... while ASC is scanning.

Am I safe now or do I need to run an anti-trojan software to take them off from my PC?

Thanks a lot for your help.

Best & kind regards,

Maria

 

Hello thisisu,

Just to let you know that I already did per your instruction & attached the logs on my post before this that is in moderation.

Again, thanks for your help.

Kind regards,

Maria

 

Thank you, Maria

We are reviewing the new logs now

Please tell me what ACS is complaining about as I am not seeing any malware in your logs.

 

First, I want you to delete the following folder using Windows Explorer

C:\ProgramData\ParetoLogic

Open "My Computer"
Double click C:
Double click the ProgramData Folder
Locate ParetoLogic
Right mouse click the ParetoLogic folder ONE TIME, and select "Delete" from the new menu that appears.
Select "Yes" when prompted
The folder is now deleted
Let me know if you had any errors deleting this folder or not in your next reply, please

Now I want you to delete the following file: ParetoLogic Registration.job

This file is in: c:\windows\Tasks\

Please navigate to this folder using the same methods, but this time we are only deleting the ParetoLogic Registration.job file. (DO NOT DELETE THE ENTIRE Tasks Folder)

Like before, let me know if you were successful or not.

Next


I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run



Next, Please go to virustotal and upload the following files for analysis, and let me know the results.

C:\Windows\system32\9B13A86D.plf
C:\Windows\System32\drivers\bwaut.sys


Could you please get this: installer.bat into a zipped file and attach it for me in your next post? To do this, see the below:

Please go to start > Run and paste in the following: (Be sure to scroll all the way across to highlight all of the text)

Code:

%systemdrive%\MGTools\zip "%systemdrive%\collect.zip" c:\windows\system32\installer.bat

log retrievable @ C:\collect.zip

 

Thanks thisisu.

I can only upload the TDS log because the zip file does not exist even though I followed your instruction. I did like this: on Start, I entered Run, on its textbox, I entered %systemdrive%\MGTools\zip "%systemdrive%\collect.zip" c:\windows\system32\installer.bat, then, I click OK. A "black window" showed up that I don't know what it was because it was only for 1/2 a second. Then, I searched on C: drive for collect.zip & also installer.bat but they don't exist.

For the result of virustotal:

1. File name: 9B13A86D.plf Submission date: 2011-06-15 18:37:38 (UTC) Current status: finished Result: 0/ 42 (0.0%)
2. File name: bwaut.sys Submission date: 2011-06-15 18:55:31 (UTC)
   Current status: finished Result: 0/ 43 (0.0%)

When ASC Pro scans, on Quick Malware Scan, I can read Trojan.Win32/Agent, Trojan.Win32/Vundo & others but at the end of Quick Malware Scan, it said No Problem. I also tried using Microsoft Safety Scanner & Microsoft Malware Removal tool and both said no infections.

But, when I used an Anti-Trojan Elite, it said there is trojan on my pc and if I want to remove it, I need to buy the license. I could buy the license but there is no guarantee on their sales page, what if there is none or their software doesn't work as it claimes? My $30 would be gone.

Thanks thisisu. If you can't see infections on my PC, that's allright. You already spent so much of your free time for me. And, I am also already fed up of this because it's been 3 days that my other projects are on halt because of this "fear of trojans" and cleaning up these trojans.

Maybe there are really no infections because I tried many scanners already like I am using now the 30 day trial of Emsisoft Anti-Malware and during its scanning did not see trojans but scanned medium threats like from tvunetwork and freeze.com and from the folder of HP/Games. I believe they are safe but since I can't remember about freeze.com & tvunetwork, I quarantined & deleted.

As I said, thanks a lot for all your help and lets just put this to rest. May God Bless You for what you've done.

 

I feel it's just listing the things it scans for, not actually alerting you to the threat being present on the machine, otherwise it surely would give a file and file path.
If possible, upload the log provided by ASC so we can investigate.


Your tdsskiller.log is clean

Could you please get this the following file into a .zip and upload it here for analysis?

c:\windows\system32\drivers\bwaut.sys

To do this.. Please go to start > Run and paste in the following:

Code:

%systemdrive%\MGTools\zip "%systemdrive%\collect.zip" c:\windows\system32\drivers\bwaut.sys

log retrievable @ C:\collect.zip

If this fails, then please zip this file yourself and upload here



Now let's use ComboFix to remove more malware files:

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::


File::
C:\Windows\system32\9B13A86D.plf
C:\Windows\SysWOW64\9B13A86D.plf 

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip
* C:\Collect.zip

Make sure you tell me how things are working now!

 

Hello thisisu,

I researched on the net and found out that Trojan.Win32/Agent, Trojan.Win32/Vundo, Trojan.Dropper, Adware and others are common in scanning using Advanced System Care Pro 4.0. I have many names like that when ASC is scanning but not detected as infection when the scan ends.

Some answers on the net said they don't mean the PC is infected with trojan and that they are probably signatures of other softwares.

Does majorgeeks.com have a guide on how to put the PC back?

What I mean, I uninstalled SuperSpyware and Malwarebytes Anti Malware. Will I also uninstall Combofix & MGTools? How about the defogger that I disable for CD thing?

You know those processes when I was cleaning up. What will I do now to restore?

I hope you get my point and thanks a lot for your help.

Regards,

Maria

 

We are not completely done with the malware removal process. Please don't run ASC scans until completely finished

Please follow the steps outlined in my previous post (we posted at the same time)

 

Hello thisisu,

Sorry for the delay as I am already a bit fed up of this stuff. I believe there is no infections on my PC per scans of many softwares.

Anyway, here are the files you requested. I am sorry I can't find a Collect.zip file. Also, the ASC log was the latest Manual Scan, not the first time I used ASC.

Maybe, what you can do is to give me the guide on how to restore back my PC or I'll just go back to the Read & Run Me Malware Guide & reverse the instructions given for each step. What do you think?

Once again, thank you for your help.

Kind regards.

 

Hello TimW,

Thanks for that guide. I followed all except #1 because I am still using the 30 day trial of Emsisoft Anti-Malware that acts as anti-virus, anti-malware and firewall and per any of your malware guide, just choose one for each.

My question now is about Qoobox folder on drive C: This folder is dated 18/06/2011 and contains another folder BackEnv and 3 files: ComboFix2.txt, ComboFix3.txt, ComboFix4.txt.

Will I delete the Qoobox folder?

Thanks for your help.

 

Thanks TimW for that reply.

I deleted the files and folder inside Qoobox but access denied because it required administrator permission. The 3 files were deleted thought but BackEnv couldn't.

Is is ok to leave the folder?

Thanks.

 

Did you run the combofix.exe /uninstall command from the Start>Run menu? This was step 2 in the final steps.

That should have removed the entire Qoobox folder.

What you can try to do is download combofix.exe again, Save it to your desktop. DO NOT DOUBLE CLICK IT.

Then try running the Combofix.exe /uninstall command from Run dialog box or from the command (Start > Run > cmd) window.

Remember that there is a SPACE between .exe and /uninstall

 

Yes, I ran it thisisu on the Run command two to three times.

If leaving the Qoobox folder does not pose security threat, it's allright with me to leave it on drive C: than restarting again.

What do you think?

Thanks.

 

If you don't mind it being there, it does not pose any security threat.