Pre malware removal question

One of the procedures required is to download a variety of tools, one of them being SUPERantispyware.

I already have this on my pc, so should I remove this program and reinstall it when i get to the pc clean up section in the removing malware guide or is it ok that its already installed and won't effect any of the clean up procedure?

Cheers and thanks

bodybag

 

Hi Chaslang,

Thankyou for your reply.

As I was wanting to make a start on the malware removal I took the safer option of removing my existing SUPERAntispyware and doing a new instal via this website + updates.

I have now done a scan with the above software and am about to proceed to the next phase. Will keep you posted when complete.

Regards

bodybag

 

Read & Run Me completed (nearly)

Hi again

I have worked my way through the Read & Run Me First guide and i did encounter a couple of problem which i will mention in order of occurrence.

Prior to commencing anything, upon starting my PC I was receiving the following message:

"RUNDLL

Error loading C:\WINDOWS\system32\terdsrmv.dll

The specific module could not be found"

This message has since stopped appearing following some of the scans

During the basic computer maintenance section I did d/l IObit SmartDefrag to supersede my windows defrag however upon trying to commence a defrag I was met with the following message:

"Access violaton at address 004D1B8A
in module "IObit Smart Defrag.exe".

Read of address 00000044."

Not being able to defrag with IObit, I thought i would check the windows defrag function but received the following message:

"Disk Defragmenter could not start"

Consequently as part of the basic maintenance, I have NOT defragged pending your feedback in relation to this matter.


During the spybot sd scan I did make the mistake of scanning more than once due to some items being unable to be cleaned etc and the software asked if it could after a reboot and i "politely" said yes. So it ran again but did not still clean everything that was detected.

It was then that i reread the instructions and saw where it said about only running the scans once ...ooops my bad (sorry)

The most problematic thing was the combofix and i am unhappy to report that I was unable to perform the scan thus there is no "log" to upload.

Something I noticed from the instructions was the difference between what you had written to be copied and pasted into the run box and what was shown in your picture of how it should look if all was done correctly, see below"

Copy & paste this: "%userprofile%\desktop\combo-fix.exe" /killall

Image of how it should look: "%userprofile%\desktop\cf.exe" /killall

Difference being, combo-fix.exe is cf.exe in the image. I am nowhere pc savvy enough to know what difference it would make but all i know is that i kept getting the following message:

Windows cannot find 'C:\Documents and Settings\Owner\desktop\combo-fix.exe'.
Make sure you typed the name correctly, and then try again. To search for a file, click the start button and then click search.

I came back to the forums and conducted a search under combofix and found the following thread which seems to be the same as what I was/am experiencing

http://forums.majorgeeks.com/showthread.php?t=164464&highlight=combofix

In that thread it was determined that the person had not in fact saved Combofix to the desktop and that it was in C:\ drive. I checked my C:\ drive and it wasnt there. I deleted CF and saved it again to the desktop, checked the properties and it said it was in location: c:\Documents and Settings\Owner\Desktop. I also once again checked the C:\ drive and could not see it.

I renamed the file to combo-fix.exe and went throught the copy & paste procedure as before with the same result.

I am not sure what is the problem although i am certain that I may be a major goof as opposed to a major geek lol.

I look forward to your further assistance in this matter re my malware, at your convenience.

Thank you for your time and effort

Regards

bodybag

 

Re: Read & Run Me completed (nearly)

Couldnt find an edit button.

Have just tried the IObit defrag and its working fine

Just thought i should tell you in case you spend time pondering what could be the problem

 

Re: Read & Run Me completed (nearly)

Hi Chaslang

Thank you for your reply and further instructions.

Obviously looking at the copy of the code you pasted here seems to show the combofix problem. Although i must say that I did make the changes re: hidden files. However, perhaps i did something wrong although the procedure seemed fairly straight forward.

Anyway, all is good and i will redo the steps and get the combofix log to you with any additional info re: continuing problems.

Your help is very much appreciated, thankyou.

Regards bodybag

 

Hi once again Chaslang

ComboFix:

When i went to uncheck the hidden files via explorer, they were still showing as "unchecked". I rechecked them, then unchecked again > hit apply and went through the renaming of the CF file.

The scan commenced and ran through without any dramas. Pleased find attached the CF log.

I did notice at the top of the log that it made mention of my Recovery Console not being installed. Is this a problem that needs to fixed?

PC's current state:

From the outside everything seems to be running as normal ie
No more pop up messages pertaining to virus's running rampant throughout my system.
Internet Explorer appears to be stable and maintaining the selected home page.
Desktop items which dissappeared have since returned after the completeion of the CF scan.

I have changed my firewall from zonealarm to Online Armor due to seeing where ZA appeared on your list of leak tested firewalls.

I have also swapped my free AVG to the Avast AV software due to its position on your recommended list and also because of the comments made about AVG making false detections.

I have run a thorough scan using Avast and there were some items still detected and have attached the results log of that search for your perusal and comments, if you dont mind.

It would seem that we are getting closer to the end of this little malware adventure and I do have some post removal question for you.

1) In relation to the hidden files, should i go back and make them hidden again by rechecking those two boxes in Explorer?

2) During the procedure of downloading anti malware tools, it was mentioned about not D/Ling to a temp folder. When i normally D/L stuff i generally just let the system decide where it puts them ie Temp Folder. Should I be saving them somewhere else and if so, where? C:\ Program Files?

Thank you

bodybag

 

Hi Chaslang

Seem to have a problem with what you listed below to be selected in hijackthis and what actually is appearing.

Consequently I have not gone ahead and done any fixes as only one item correlated between the two lists.

I did see a save log button so with great trepidation i clicked that and saved the log showing what i have. (Which was quicker than what i had started doing > typing it out)

The log is attached.

Thank you for answering my other questions and the info about where and how best to save downloaded items was excellent and very useful (I will spread the word about that to my friends and family).

I await your response

Regards bodybag

 

Hi chaslang

In accordance with your last reply, I have ignored that section of your last set of instructions and proceeded with ComboFix.

The combofix part went smoothly and the expected log was produced (attached)

The fixme.reg also went well and I received a "fixme.reg has been successfully entered into the registry" message.

CCleaner was run and all seemed fine.
*In one of the ealier sections pertaining to CCleaner after the initial run, it mentioned using the registry section. I was unsure if i was intended to do this part as well, so erring on the side of caution I did NOT use the registry part of the cleaner.

The MGtools bat file process went smoothly and a log was produced (attached)

Since completing the above steps, I have NOT run any sort of anti virus/spyware/malware scan. So as far as that aspect of how my pc is going now, I am uncertain.

Internet Explorer appears to be working fine with my homepage choice still loading as required. I did notice that upon completion of the above steps that i now have a second IE shortcut on my desktop.

All shortcuts that i had pre malware attack are on my desktop and i am not receiving any odd error messages or virus warnings popping up on my desktop or from my task bar.

So from my not all seeing eyes, things seem good.

Thank you for your time chaslang and i shall await further instructions or an all clear from you before i proceed with an anti "everything" scan

Kind regards

bodybag

 

Hi chaslang

1)In relation to CCleaner, I was referring to the section "Basic comptuer maintenance everyone should do" which was the first reference to CCleaner in the Malware removal guide. My mistake for not being clear enough in my query to you.

2) 2008-07-23 09:48 . 2008-07-23 09:50 <DIR> d-------- C:\WINDOWS\NV36761604.TMP

When I checked, they are "Compiled HTML help files" relating to the nvidia control panel which I recently had open.

3) Have followed and removed software as mentioned in your instructions.

4) When i did the restore point it said that it would need to reboot but it did not do it automatically as expected and i had to manually reboot the PC.

The same thing occurred after I downloaded the aSquared software. Said it had to reboot and then didnt > I had to manually reboot again.

Another "strange to me" thing I noticed yesterday and again today, is that Online Armor is telling me in a red box that a suspicious program wants to run and its indicating its within the Avast4 program. I have a screen shot of the box that i will attach. It makes mention of how "some dangerous programs replace trusted programs by themselves to trick you into running them".

I have not been running the AV software nor is it open (not in task bar) while i have been getting these warning messages.

5) How to protect yourself malware:

This is what i now have installed on my PC

Antivirus: Avast Home Edition
Anti ?: a - squared (Out of curiosity, what type of "anti" software is this?)
Firewall: Online Armor

Realtime blocker: Spyware Terminator
After the fact scanner: Spybot - search & destroy
Non realtime protection: Spyware Blaster

Have set up folders for saving downloaded software as per your suggestion.

6) Active X: Some items that you mentioned did not appear in my Active X list >

Installation of desktop items
Launching programs and files in an IFRAME
Navigate sub-frames across different domains
Allow paste operations via script

The first 3 items in your list were.

Thank you chaslang for ALL of your time spent helping me with my malware problems. Your help and advice has been very much appreciated and i admire your dedication to your speciality area. Clicking on the "Thank you" button seems so inadequate compared to all that you have done, but i will gladly do that.

Cheers and warm regards

bodybag

 

Hi chaslang and thank you for your replies.

I woke up this morning and turned my pc on and when I came back to it all that was showing was a naked desktop.

No icons, no task bar, absolutely nothing!!

I had the thought that i might be able to get something happening by running in safe mode and when i restarted and pressed F8 I was not given a listed option for safe mode all that appeared on my screen was:

BOOT
Select a Boot first device
Removable
- Floppy Disk
Hard Disk
- SATA3 :ST 3250410AS
CDROM
- 1st Master Pioneer DVD-RW DVR-112

I am not sure if this is still relating to any sort of malware problem or not. Maybe its software or hardware.

Any suggestions as to where I go from here or what i should do would be greatly appreciated. Thank you.

Regards bodybag

 

Hi chaslang

In answer to your question about the Welcome screen:

In normal mode I get to the welcome screen and then after about 20 secs it goes to my desktop minus any icons, task bar or start button.

In safe mode I get to the windows click username page > Administrator and Owner.

When i click on Owner I end up with all of my original desk icons and positions, task bar and start button.

When i click on Administrator I only get about 70 - 80% of my desktop icons and the positions have changed.

I note what you have stated about my malware problem being clean however, when carrying out scans i am still detecting malware.

Also with Avast, when it does its memory scan and picks up a rootkit type malware, I can put it in the chest only delete it.

I have attached some reports for you.

I did think that i would have been able to use the new restore point that i last created as per your instructions but that was unsuccessful. I also noted that spybot had created its own restore point as well. I must admit i am currently somewhat uncertain about spybot as Avast is unable to perform a full scan due to a lot of files being password protected by spybot.

I did read a post in this malware section where you helped a guy who had a similar problem with his desktop and it turned out to be something to do with a non MS product (gozilla?) located in the service section of msconfig.

I will go post something in the software/hardware section. I did find a thread in my search earlier today in the HW section pertaining to my problem but there was no real answer/conclusion to the thread or problem.

If you do have any other suggestions etc in relation to what may be happening i would love to hear them.

Thanks once again for all that you have done for me.

Kind regards

bodybag

 

Hi Chaslang

Thanks for your reply

Im pleased to hear about the detections being false.

"Do you still have any of those tmp files in the folder indicated?"
I believe I do > c:\windows\temp\mc21.tmp, mc22.tmp, mc23.tmp, mc25.tmp, mc26.tmp & mc27.tmp. mc24.tmp is missing but I imagine thats because its been deleted.

As far as i can tell in relation to what was happening in the beginning, I am not currently having any malware problems.

You mention that the system restore may be a problem with the windows operating system, so I will ask about that in the Software section.

With regard to Avast i cannot be 100% certain that it was downloaded from MG or not. I was having probs with some of the MG download pages opening and I may have googled the software and downloaded from elsewhere eg the Avast site. I will delete Avast later sometime and download from MG to be sure.

"This will not stop Avast from scanning all of your files. It only stops Avast from looking at these files protected by Spybot to block malware from corrupting them. The same thing is true for many Windows files which are protected and cannot be scanned."

Thats reassuring! (Im quite enjoying this learning curve)

Yes I did mean Stopzilla, I tried to find the thread again but couldnt. I was just trying to find similar accounts of my situation when i was initially researching the problem.

"What problems are you referring to? Are you referring to the fact that Windows had no Desktop as mentioned in msg #16? I thought you had this fixed now."

I am referring to the no desktop icons, no taskbar and no start button problem. No it has not been fixed. I have posted in the hardware section http://forums.majorgeeks.com/showthread.php?t=165399 and has been viewed 50 times but it doesnt seem as though anyone knows how to fix it.
Does not bumping threads only apply to the malware section? lol

I have found a solution to my F8 > boot menu prob and now know how to access the Windows Advanced Options menu which is great. I did make reference to my other problem, a sly bump perhaps? lol

http://forums.majorgeeks.com/showthread.php?t=165458

Regards bodybag

 

Hi chaslang

Thanks once again for your reply and answers/comments etc.

I have put a couple of the mc files into a zip (hope its right as i have never done a zip file before )
Yes i was able to delete the remaining mc files and after a reboot they had not returned.

In relation to the placement of my thread in the hardware section, would the best action be contacting a moderator and asking them to move the thread to the software section or just copy and paste it into the software section myself?

I was able to run MGtools in normal mode by using the task manager as instructed. Log attached

In relation to bumping, I will remember that for the future. I had planned to pm someone if i hadnt had a reply on it soon to see what to do.

Thanks again

Regards bodybag

ADDIT: It would seem i have stuffed up the mc file zip. Will keep trying to get it added

 

mc zip files as requested

Hi chaslang

here are the zip files for you of the mc.tmp files. I couldnt get back in time before the edit time ran out. I did learn how to create a zip file from my peazip software though

Cheers bodybag

 

:celebrate

Hi chaslang

I guess you know there is good news coming!!

I deleted online armor 2 and rebooted after changing to normal mode and it loaded as it should with all icons etc.

The System Configuration Utility msg box came up saying there had been changes and to select Normal mode and adjust any other changes made.

So I did that and then when it asked to reboot I did and it started back in safe mode!? So i kept doing what the msg box asked and the same thing kept happening. In the end I thought that I would delete Avast as well, which i did.

I then went through the above procedure again and once again i had the pc starting in safe mode. I ended up checking the box on that msg box to not appear again and since then once in normal mode it has stayed that way.

At that point I decided that I should run another MGtools scan to attach with this just in case there is something in the log that may be of use to you in perhaps determining why Online Armor and possibly Avast caused this desktop problem. If there is any other information that you would like me to glean from the pc then you only have to ask.

Currently I have installed Malwarebytes, Spyware Terminator, SpywareBlaster, A squared & CCleaner.

My PC is not currently connected to the internet. I will use the windows firewall for the time being while I have another look at the firewalls on offer here, along with a different AntiVirus.

I have thanked you before but I must say it again, "Thank you chaslang", I really do appreciate your help and patience. Here's to you :wine

Kind regards

bodybag

 

Hi chaslang

Please find attached the requested log.

Also, I have installed via MajorGeeks (Prior to this scan):

Comodo Firewall

PC Tools AntiVirus (Its initial scan came up clean)

Regards

bodybag

 

Hi chaslang

Thats great news, thank you. :highfive

I have deleted the folders as instructed.

I am going to update my post in the hardware section with the outcome of your "problem fix". Would you be able to move it into the software section seeing as thats where it should be, please.

Kind regards


bodybag