Please review logs, part 2...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by insan_art, Jun 5, 2009.

  1. insan_art

    insan_art Private First Class

    Hi again! I'm working on another computer at the same house as the laptop from this thread - finally got through all the scans and such.

    This machine is a monster. It's an old eMachines desktop that has been upgraded and modified a ton. I'm not going to get into the details unless you specifically need/ask for them...it's a little confusing.

    I would appreciate if you could review the logs from this system. I want to make sure it's clear of all the malware before I tackle straightening out the file system and multiple hard drive craziness. :)

    Logs are attached. As always, thank you for your time!
     

    Attached Files:

    insan_art, Jun 5, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your MGtools log is very incomplete. Did you let it finish running? Did you see any error messages like those mentioned in the instructions? Download the current version and try running it again. Make sure you wait for it to finish running. Attach a new log.

    The other logs show a lot was already removed.
     
    chaslang, Jun 6, 2009
    #2
  3. insan_art

    insan_art Private First Class

    Hello chaslang, thank you for your reply and your patience.

    To answer your questions about my first MGtools scan: Yes, I let MG finish running. No, there were no error messages.

    However, I'm pretty sure I've figured out the problem and it's the crazy multiple hard drive situation I mentioned earlier. At the time of starting the cleaning process and scanning, I wasn't exactly sure what hard drive Windows was running on. Upon start-up, I'm presented with 2 options: Windows XP Pro & Windows XP Pro! They've been running off of the first boot choice, so that's what I've been running through - but I didn't realize what hard drive it was running off of...

    ...to make this super long story short, I believe now that Windows start-up option is running off of drive "I" (which makes sense after learning the full story on the franken-mod-upgrades this thing has been through). So, (I'm thinking) the problem with MGtools before was that I was running it out of the C drive, when I probably should've been running it out of the "I" drive.

    Anyways, here's the MG log after I ran it from the "I" drive. I watched it progress - seems like it worked all the way through this time. I did receive the error about .NET ("The application failed to initialize properly (0xc0000135)....").

    Thank you again!
     

    Attached Files:

    insan_art, Jun 8, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Were the below knowingly installed:

    Frontier Browser Assistant
    Frontier Search Helper

    We normally uninstall these since they may be related to MyWay WebSearch. I suggest that they be uninstalled now and then continue on with the below which also manually removed items from these just incase the uninstall does not work properly.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI
    R3 - URLSearchHook: (no name) - {38E77F06-89FC-44f5-B3AB-11DDEB791947} - I:\Program Files\FrontierSH\SrchHelp\frSrcAs.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {38E77F01-89FC-44f5-B3AB-11DDEB791947} - I:\Program Files\FrontierSH\SrchHelp\frSrcAs.dll
    O2 - BHO: FrontierBA BHO - {A93A3CC1-BA23-4d0d-9440-6A0148362B7E} - I:\Program Files\FrontierBA\BrowserAssistant\fbabar.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: &Frontier Browser Assistant - {A93A3CC9-BA23-4d0d-9440-6A0148362B7E} - I:\Program Files\FrontierBA\BrowserAssistant\fbabar.dll

    After clicking Fix, exit HJT.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 10, 2009
    #4
  5. insan_art

    insan_art Private First Class

    Hello Chaslang,

    I'm not sure if the Frontier stuff was installed "knowingly". We use Frontier internet here so I probably saw those and was thinking they were internet related (this is what happens when my attention is divided between cleaning two computers at once - sorry about that!). The Frontier things were uninstalled first as instructed.

    I then ran HJT and removed all the lines as asked except a few that did not appear. I apologize, I had written all of these down and I misplaced the paper, but the entries seem to have been related to the Frontier software and I believe these were all of them:

    R3 - URLSearchHook: (no name) - {38E77F06-89FC-44f5-B3AB-11DDEB791947} - I:\Program Files\FrontierSH\SrchHelp\frSrcAs.dll
    O2 - BHO: (no name) - {38E77F01-89FC-44f5-B3AB-11DDEB791947} - I:\Program Files\FrontierSH\SrchHelp\frSrcAs.dll
    O2 - BHO: FrontierBA BHO - {A93A3CC1-BA23-4d0d-9440-6A0148362B7E} - I:\Program Files\FrontierBA\BrowserAssistant\fbabar.dll
    O3 - Toolbar: &Frontier Browser Assistant - {A93A3CC9-BA23-4d0d-9440-6A0148362B7E} - I:\Program Files\FrontierBA\BrowserAssistant\fbabar.dll

    Ran CCleaner and then getlogs.bat. The log file is attached.

    Thank you for your time from both myself and the couple who owns the computer. They are thrilled with the results of your cleaning process! At this time the computer is running very well. Before I started the cleaning and scans, they thought this system was on its last legs. Now, I think it is close to being the sound production station that they want to use it for! :cool
     

    Attached Files:

    insan_art, Jun 12, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. You have one more left over Toolbar from Frontier to remove. I mentioned it last time but now since the uninstall, there is no file name. Just use analyse.exe to fix the below line:

    O3 - Toolbar: (no name) - {A93A3CC9-BA23-4d0d-9440-6A0148362B7E} - (no file)


    Now if you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Jun 16, 2009
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds