read me first link seems dead

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by eyeopr8r, Aug 19, 2010.

  1. eyeopr8r

    eyeopr8r Private E-2

    yesterday I was merrily following instructions on the read me forst link went to the updated link and was to the point of having doenloaded combofix, ngtoos, and rootrepeal. Then after a reboot I can no long access the read me firts link. It appears dead and say Clsoed. How can I get back to the intructions?? thanks for your help.
     
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try using a different browser. What browser are you using?
    Of course it could also be malware blocking you from getting there, so if using an alternative browser makes no difference, do try booting into safe mode with networking. Let us know how you get on (Try a different browser first!) :)
     
  3. eyeopr8r

    eyeopr8r Private E-2

    i get on both yesterday and today with IE
     
  4. eyeopr8r

    eyeopr8r Private E-2

    I have downloaded foxfire and now able to access link to read me first. will now continue to follow instructions in read me first. Thank you very much ralph
     
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No problem, I'll be here waiting, so run all the scans and then attach all of the requested logs once ready. If one step does not work, then just move onto the next and note down errors along the way.
     
  6. eyeopr8r

    eyeopr8r Private E-2

    While I am a physician and fairly computer savvy, having now gone through all the steps down through mgtools, I am in total awe of what you all know about computers, their inner workings, and stuff the rest of have no clue about. The fact that you are here, developing these very intricate protocols for us common folk to use to try to rid our computer of really bad stuff is exceptionally admirable, and I would like to thank you ALL profusely for your knowledge, effort and voluntary time in helping the rest of us.

    Now I am including all the logs from the different programs run per majorgeek instructions. The one note I have is that in spite of double checking that all antivirus and spyware was turned off, I cannot get rootrepeal to complete to the point that the "save log" box is highlighted and allows me to click it. So instead I have taken screen shots and included them. It took 2 screen shots to get the whole thing, so shot #2 will be on the next post, along with the mgtoos log
    l
    Thanks again so much
    Ralph
     
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Don't worry about rootrepeal. I have to go to bed now after finishing a late shift at work, but wanted to point out to keep things moving, that you have not attached logs yet. Do that, and I can review them tomorrow evening after work. :)
     
  8. eyeopr8r

    eyeopr8r Private E-2

    Thought I had sent these, but obviously didn't comer through. Here they are again. I will sent the 2 screen shots for rootrepeal on second post. sleep tight and thanks.;)
     

    Attached Files:

  9. eyeopr8r

    eyeopr8r Private E-2

    Here's the 2 screen shots form the rootrepeal log. Thanks again;)
     

    Attached Files:

  10. eyeopr8r

    eyeopr8r Private E-2

    I have thanked the forum and my specialist on each post. Why does the legend at the upper right corner of each post say "0 thanks on 0 posts"
    PHP:
     
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hello again. Had a hectic weekend, couldn't respond until now.

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode, if you haven't done so already.

    XoftSpySE <--- uninstall this

    If you did not deliberately set this proxy yourself then please include it in the HJT fix below:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    File::
    c:\windows\isRS-000.tmp
    c:\windows\system32\arfzsnccyktmjfsxe.exe
    
    Folder::
    c:\users\RALPH\AppData\Local\xxieuxvkx
    c:\users\RALPH\AppData\Local\okgkrcaav
    c:\program files\Ask.com
    C:\$CLEAN~1  
    
    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Also delete all files in the below bold folder except ones from the current date (Windows will not let you delete the files from the current day).

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know how the computer is running now.
     
  12. eyeopr8r

    eyeopr8r Private E-2

    Hello,
    Man this stuff os soooo over my head but I followed all instructions and here are the 2 log files. Since it is now late, I won't have a chance to run the computer to see how it is doing until tomorrow, and will update yoo then. Just FYI, LAST NIGHT while using it, I had one episode of a fraud window comin g telling me I was infectedm needed a scan and needed to but software. After closing it I have not had it since. Also FTI, combo scan took a realy long time to run __?indication of lots of bad stuff in there??

    Thanks for your expertise and time. I appreciate it very much, Ralph:droolOh by the way why do all my posts say "0 thank yous" in the upper right corner??
     

    Attached Files:

    Last edited by a moderator: Aug 24, 2010
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix again
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    Driver::
    XoftSpyService
    
    File::
    c:\users\RALPH\AppData\Local\C9FDFF7E6BA824AA08958A9C209DB4B7.dll
    c:\windows\Tasks\ParetoLogic Registration3.job
    c:\windows\Tasks\ParetoLogic Update Version3.job
    
    Folder::
    c:\programdata\ParetoLogic
    c:\program files\Common Files\ParetoLogic
    c:\program files\Common Files\XoftSpySE
    c:\programdata\XoftSpySE
    c:\program files\XoftSpySE6
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  14. eyeopr8r

    eyeopr8r Private E-2

    I have run both and attached the log files. Will await your instructions. thanks for your persistance. ralph
     

    Attached Files:

    Last edited by a moderator: Aug 26, 2010
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please go to Jotti's malware scan

    (If more than one file needs scanned they must be done separately and logs posted for each one)
    • Copy the file path in the below Code box:
      Code:
      C:\Windows\System32\wininet.dll
    • At the upload site, click the browse button.
    • Use Windows Explorer to navigate to the file(s) we need scanned and click "submit file"
    • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    • This will perform a scan across multiple different virus scanning engines.
    • Important: Wait for all of the scanning engines to complete.
    • Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    File::
    c:\windows\TEMP\TMP000000090A4C8731C6EBB80B
    C:\windows\system32\LogConfigTemp.xml
    Folder::
    c:\windows\TEMP\TMP000000090A4C8731C6EBB80B
    Registry::
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Eraser"=-
    "SandboxieControl"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "ArcadeDeluxeAgent"=-
    "CLMLServer"=-
    "iTunesHelper"=-
    "LogMeIn GUI"=-
    "PlayMovie"=-
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Run a full scan with Avira, and let me know the results as well as those from jotti.
     
  16. eyeopr8r

    eyeopr8r Private E-2

    Hi Kestrel,
    sorry it's been a whille--just bogged down with work. I've followed directions and attached files. Here is link for jotti'malware scan: shttp://virusscan.jotti.org/en/scanresult/be2c00c197ce4e879ef89dab9314855cd9fa1c92/4fbf4ff077edd989dc423fa6c75635edbdb74127 Will await instructions again.

    thanks, Ralph
     

    Attached Files:

    Last edited by a moderator: Sep 3, 2010
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What issues are you currently having? Your logs look clean.
     
  18. eyeopr8r

    eyeopr8r Private E-2

    To my knowledge, I am having no issues--my last post was just a reply to the last set of instructions given to me by Kestrel.. If my logs look clean then I presume we have finished our work. I would however, like to be
    guided concerning what steps in "read me first" should be reversed. Thanks a lot to kestrel and yourself for all the help.Ralph


     
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    All looks well!

    Wouldn't hurt as I mentioned to run a full system scan with you antivirus.

    In the mean time you can follow through with the below now:

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  20. eyeopr8r

    eyeopr8r Private E-2

    I did in fact run Avira, and there wer no detections.
    However, tonite while using the computer, it is again very slow and I saw something for a quick moment at the bottom left of a newly opened IE window, thagt said about: blank, so I thnk I am having trouble with about: blank. Please tell me how to proceed.
     
    Last edited by a moderator: Sep 6, 2010
  21. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You do not have an about:blank infection. If you did, you would never be able to get to your start page or most other pages without being redirected. Are you being redirected?
     
  22. eyeopr8r

    eyeopr8r Private E-2

    I am not being redirected, but when I double click toopen intgernet explorer, it takes FOREVER to load, and all this time down in the lower right corner of the bar where it eventually says "done", it is saying "waiting for about: blank..." Also none of my open windows is showing up on the taskbar either.
    What's up?? thanks

     
  23. eyeopr8r

    eyeopr8r Private E-2

    checked another forum and found exact same problem stated he was seeing "waiting for about: blank" in lower left corner of page when opening IE8. It was suggestied he had browser hijacking malware, and to run hijack this and post log
    So i RAN hIJACK THIS AND HERE iS MY LOG.



    thanks
    Ralph



    8
     

    Attached Files:

    Last edited by a moderator: Sep 8, 2010
  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    At the time of examining your last set of logs they were clean. I am not seeing any signs of anything strange in that HJT log, but then just seeing a HJT log is never enough. I suggest that you now post in the software forum about this.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds