Please help with Malware removal, tried the sticky process, roadblock

kenlenard · May 18, 2009

Guys: I appreciate all of the info I have found here. I have an old Dell 4300 running XP networked to a newer Vista machine. The older machine started with popups, hijacking and the like in the past few days. I found the sticky with all of the instructions (again, very much appreciated). I followed the instructions and got to the point where I was to run SuperAnti-Spyware. It ran for a few minutes and then I got a windows message that said that a certain pgm had to shutdown (I do not remember the pgm name, but it was a long number like 2922360534.exe). I clicked "DON'T SEND" so it wouldn't report the error and then the machine restarted by itself. This has happened twice and then I just shut the machine down. I'm sure this question is asked a million times and I will apologize in advance. My McAfee is constantly telling me that it has found and removed trojans, I have seen files like freddy43.exe and other suspicious files under the processes tab in task manager. I have also downloaded the suggested pgms (Super AntiSpyware, ComboFix, AntiMalwareByte, etc. and I have run CCleaner). Any suggestions? Thanks guys.

dr.moriarty · May 20, 2009

Hello, kenlenard.

Any suggestions?
Click to expand...

Yes - complete our procedure and attach as many of the requested logs you can.

Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.

If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First. If TDSSserv is not found, just continue on with the READ & RUN ME.

TDSSserv Non-Plug & Play Driver Disable

READ & RUN ME FIRST. Malware Removal Guide

If something does not run, write down the info to explain to us later but keep on going.

Do not assume that because one step does not work that they all will not.

After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.

To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:

Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.

Click to expand...

kenlenard · May 21, 2009

Thanks for the reply. I ran thru the entire process and the only issue I had was running ComboFix for some reason. I downloaded it along with all of the other programs and the icon was on my desktop. But when it came time to run it, it was gone. When I tried to download it again, it got to 99% downloaded and then gave me an "Access Denied" error. I continued with the process (CCleaner, SuperAnti Spyware, MalwareBytes, MGTools, etc.) and miraculously... it seems to have worked. All of the popups, hijacking of sites, etc. is gone and my old PC is running about as fast as possible at the moment. I still don't know how ComboFix disappeared from my system or why I couldn't download it again, but it looks like everything is smooth. McAfee is in place and says all is okay. I would like to thank everyone on the board for their time and effort. The process has a few bumps (broken links, programs that need to be adjusted to run, etc.) but it clearly works. For anyone who needs this process to remove malware from your system, you can trust it to repair your system. Thank you again.

dr.moriarty · May 21, 2009

You're welcome!

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (=This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

If we had you run Avenger, you can delete all files related to Avenger now.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware

Click to expand...

Safe surfing!

Log in or Sign up

Please help with Malware removal, tried the sticky process, roadblock

kenlenard Private E-2

dr.moriarty Malware Super Sleuth Staff Member

kenlenard Private E-2

dr.moriarty Malware Super Sleuth Staff Member

Log in or Sign up

Please help with Malware removal, tried the sticky process, roadblock

kenlenard Private E-2

dr.moriarty Malware Super Sleuth Staff Member

kenlenard Private E-2

dr.moriarty Malware Super Sleuth Staff Member

Useful Searches