Please check my logs - much appreciated

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Nomiballou, Oct 19, 2008.

  1. Nomiballou

    Nomiballou Private E-2

    Hello,

    My SpyBot Startup list showed a coule of malware items (coolwebsearch and small-ew trojan) so I followed your malware removal process. They're still there. I'd appreciate your help very much.

    Somehow some of the malware removal files and logs ended up in my Application Data folder even though I deliberately saved them somewhere else when installing.

    Thanks,

    Nomiballou
     

    Attached Files:

    Nomiballou, Oct 19, 2008
    #1
  2. Nomiballou

    Nomiballou Private E-2

    Please check my logs - much appreciated (Part Deux)

    Addendum - the MGtools log.

    Nomi
     

    Attached Files:

    Nomiballou, Oct 19, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your logs are all clean but we have some minor things to do. First however you must disable Spybot's Teatimer as was requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer

    Attach a log from Spybot that shows what it is finding. Just right click in the results window and save the log. Or simply look here C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs which is where Spybot saves logs. Attach your most recent log.


    That is where SAS & MBAM save them as soon as they are finished running

    Do you know what the below files are for?
    Code:
    2008-10-04 17:10 . 2008-10-04 17:10 0 --a--c--- C:\~VM7C7.tmp
2008-10-04 17:10 . 2008-10-04 17:10 0 --a--c--- C:\~VM7C6.tmp
2008-10-04 17:10 . 2008-10-04 17:10 0 --a--c--- C:\~VM7C5.tmp
2008-10-04 17:10 . 2008-10-04 17:10 0 --a--c--- C:\~VM7C4.tmp
2008-10-04 17:10 . 2008-10-04 17:10 0 --a--c--- C:\~VM7C3.tmp
2008-10-04 17:10 . 2008-10-04 17:10 0 --a--c--- C:\~VM7C2.tmp
2008-10-04 17:10 . 2008-10-04 17:10 0 --a--c--- C:\~VM7C1.tmp
2008-10-04 17:10 . 2008-10-04 17:10 0 --a--c--- C:\~VM7C0.tmp
2008-10-04 17:10 . 2008-10-04 17:10 0 --a--c--- C:\~VM7BF.tmp
2008-10-03 15:46 . 2006-11-30 16:24 86,016 --a------ C:\WINDOWS\system32\custmon32.dll
    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.
     
    chaslang, Oct 20, 2008
    #3
  4. Nomiballou

    Nomiballou Private E-2

    Thanks so much for doing this!

    I disabled SpyBot's Tea Timer (don't know how I ended up with it, since I actually uninstalled my SB and reinstalled it WITHOUT Tea Timer to comply with the Malware Removal instructions!).

    I re-ran SpyBot and have attached the log.

    I have no idea what the files you listed are.

    I did the fixme.reg process and it was successful!

    BUT I just checked the SpyBot startup list again and it looks like I have malware in SpyBot itself. When I try to "View Report" from Tools the icon disappears and nothing happens. I've attached a file with two startup entries that look problematic.

    Don't know if I've done something wrong by running SpyBot again (?) or what ...

    Question: Now when I reboot, I get a screen that asks me if I want XP or the recovery console. Is this normal?

    I REALLY appreciate your help.

    Nomi
     

    Attached Files:

    Nomiballou, Oct 22, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your Spybot log is clean like the rest of your logs. You are misinterpreting those startup lists you are reading from. That is not a report from Spybot. That is you seaching PAC's Portal and misinterpreting the data. You do not have any of that malware.

    C:\WINDOWS\system32\CTFMON.EXE is a Microsoft Windows file ( see http://support.microsoft.com/kb/282599 ) and C:\Program Files\Java\jre6\bin\jusched.exe is the autoupdate process for Sun Java.

    Then just delete the .tmp files and leave the DLL file alone.


    Yes after installing the Recovery Console as part of the ComboFix procedure. It will just by pass that very quickly if you don't hit any keys. It could come in handy some day if you run into problems with Windows not booting up from either malware or from just problems with Windows itself.




    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Oct 23, 2008
    #5
  6. Nomiballou

    Nomiballou Private E-2

    Thanks for the good news and your valuable time.

    I guess the latest version of Spybot is including the PAC Portal info in the Startup List, and it confused me. Sorry.

    Will follow the final steps as recommended.

    Thanks so much,

    Nomi
     
    Nomiballou, Oct 23, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely.
     
    chaslang, Oct 25, 2008
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds