Still Malware problems after following READ ME FIRST procedures - help! (please...)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by SparkySparky4, Apr 5, 2010.

  1. SparkySparky4

    SparkySparky4 Private E-2

    I have been infected by malware and some of this seems to have been removed using the READ AND RUN FIRST procedures. I suspect however that I may still be infected and I am waiting for the hoax "Install Antivirus" to come up again. I am unable to see the desktop on my account and when I try to run "explorer" using the task manager I am told "Task Manager has been disabled by administrator" although that is an admin account. I am sending this through my daughters account which so far seems to be running OK. I have attached logs as requested. Would appreciate your help (by the way my daughter is the main user of this PC - Dell XPS running XP SP3 - and she uses it for school work but it was an inadveratnt download by me that set things off:( ).
    I successfully eliminated malware two years ago using your procedures and at that time did not require your help but I think I am in deeper trouble now and even ny backup disk may be infected. Hence my first post.
    I have attached requested logs but will need to post again for the MGlog.
    Thanks in anticipation.
    Mark.
     

    Attached Files:

  2. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    MG tools log.
     

    Attached Files:

  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    First off. It is a very bad idea to allow all users to have Admin. privileges!! You need to run SAS and MBAM on each user account and attach any logs that show infections.

    Now:

    What is this:
    C:\Documents and Settings\All Users\Application Data\XORQ --> if you don't know, delete it.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
    
    
    RenV::
    c:\program files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager .exe
    c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
    c:\program files\Common Files\InstallShield\UpdateService\issch .exe
    c:\program files\Common Files\InstallShield\UpdateService\isuspm   .exe
    c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
    c:\program files\Common Files\Java\Java Update\jusched .exe
    c:\program files\Common Files\Logitech\QCDriver2\lvcoms .exe
    c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
    c:\program files\Common Files\Symantec Shared\ccapp .exe
    c:\program files\Creative\SBAudigy2ZS\DVDAudio\ctdvddet .exe
    c:\program files\CyberLink\PowerDVD\dvdlauncher .exe
    c:\program files\Dell\Media Experience\dmxlauncher .exe
    c:\program files\DellSupport\dsagnt .exe
    c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
    c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
    c:\program files\iTunes\ituneshelper .exe
    c:\program files\LaCie\Backup Software\laciebackup .exe
    c:\program files\Logitech\ImageStudio\isstart .exe
    c:\program files\Logitech\ImageStudio\logitray .exe
    c:\program files\Messenger\msmsgs .exe
    c:\program files\QuickTime\qttask    .exe
    c:\program files\QuickTime\qttask  .exe
    c:\program files\QuickTime\qttask .exe
    c:\program files\Real\RealPlayer\realplay .exe
    c:\program files\Sony\SonicStage\ssaad .exe
    c:\program files\Sony Ericsson\Mobile2\Application Launcher\application launcher .exe
    c:\program files\SUPERAntiSpyware\superantispyware .exe
    c:\program files\Symantec AntiVirus\vptray .exe
    c:\program files\Yahoo!\browser\ybrwicon .exe
    c:\windows\system32\dla\dlactrlw .exe
    C:\cleansweep .exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager .exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
    C:\Program Files\Common Files\InstallShield\UpdateService\isuspm   .exe
    C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
    C:\Program Files\Common Files\Java\Java Update\jusched .exe
    C:\Program Files\Common Files\Logitech\QCDriver2\lvcoms .exe
    C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
    C:\Program Files\Common Files\Symantec Shared\ccapp .exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\ctdvddet .exe
    C:\Program Files\CyberLink\PowerDVD\dvdlauncher .exe
    C:\Program Files\Dell\Media Experience\dmxlauncher .exe
    C:\Program Files\DellSupport\dsagnt .exe
    C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif .exe
    C:\Program Files\iTunes\ituneshelper .exe
    C:\Program Files\LaCie\Backup Software\laciebackup .exe
    C:\Program Files\Logitech\ImageStudio\isstart .exe
    C:\Program Files\Logitech\ImageStudio\logitray .exe
    C:\Program Files\Messenger\msmsgs .exe
    C:\Program Files\QuickTime\qttask    .exe
    C:\Program Files\QuickTime\qttask  .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\Real\RealPlayer\realplay .exe
    C:\Program Files\Sony\SonicStage\ssaad .exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\application launcher .exe
    C:\Program Files\SUPERAntiSpyware\superantispyware .exe
    C:\Program Files\Symantec AntiVirus\vptray .exe
    C:\Program Files\Yahoo!\browser\ybrwicon .exe
    
    File::
    C:\WINDOWS\bmzg7ldy30yi7h1p3p0a4gfr.ini
    C:\WINDOWS\system32\drivers\.sys
    
    
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  4. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Thanks for your help Tim W.
    I have now limited the admin access to one account only.
    I have to admit I did not notice your request to run SAS and MBAM on each account (sorry!). I am in the process of doing that now and will report back. I am writing this from another machine.
    I did delete
    C:\Documents and Settings\All Users\Application Data\XORQ as I did not know what it was and it was created on 3 April when the issues started.

    I ran Combofix as requested and the Getlogs bat file. I have attached the logs - are they are of any use as I had not completed the SAS and MBAM on each account? I am not sure how important the order is that I run these programs.

    I cannot run SAS and MBAM on two user accounts:
    Dr Markov - when trying to run them I get the "Open with..." prompt.
    Mark - I still have no desktop and Task Manager is disabled.
    When I have run SAS and MBAM on the three remaining accounts that work I will post you the logs.

    One additional item. I notices that when I ran RootRepeal as part of the READ and RUN FIRST I saw a reference to rootkit on my removable USB backup HDD. I disconnected it and therefore it does not show up in current scans. Please advise how I should clean this up.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    NOTE: The version of MGtools being used is 21 months out of date. You need to run what is given in the cleaning process. Old copies should not be kept.
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    On the Dr. M account try running this:
    http://www.dougknox.com/xp/file_assoc.htm --> scroll down to the ninth file fix.

    Or:
    http://support.microsoft.com/default.aspx?scid=555067

    On the Mark account, do you have a start menu? Can you open a command prompt?

    Your external drive is fine, RootRepeal sees all external drives as having a MBR infection. Not an issue.

    Now;
    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
    
    
    RenV::
    c:\program files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager .exe
    c:\program files\Common Files\Java\Java Update\jusched .exe
    c:\program files\Sony\SonicStage\ssaad .exe
    c:\windows\system32\rundll32 .exe
    
    AtJob::
    
    File::
    C:\cleansweep.exe
    C:\DOCUME~1\MARK~1.FUN\LOCALS~1\Temp\login.exe
    C:\DOCUME~1\MARK~1.FUN\LOCALS~1\Temp\t7uwb6a0.exe
    C:\DOCUME~1\MARK~1.FUN\LOCALS~1\Temp\mplay32xe.exe
    C:\WINDOWS\system32\browserchoice.exe
    
    
    
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    Last edited: Apr 7, 2010
  7. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Thanks for the info on my external drive as all my data is backed up there - phew!
    Tried fixes on Dr M account.
    1) First fix did not work as "Registry editing has been disabled by your administrator"
    2) Second fix did not work as when I run command.com I get a message:
    16 bit MS Dos subsystem
    -----Temp file needed for initialisation could not be created to or written to--
    I don't really need the Dr M account. Could I just remove it?

    I do need the Mark account.
    I don't have any way of getting a prompt.
    The "windows" button only allows Windows U (a speech utitlity) although I can get an ie window open via a link in this. Don't where to go from here.
    Also windows L let's me go back to account logon screen.

    I attach latest SAS log run from Lucy account.

    I ran C:\MGtools\analyse.exe but I got different line to those in your message. I have attached the log. I did not select and FIX therefore. I will wait to hear before running Combofix. Might call it a night soon.
     

    Attached Files:

  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    On the Mark account, if you can open an IE window, then type this into the address:
    c:\program files\malwarebytes' anti-malware\mbam.exe

    It should open the file. Same as SAS.
    ComboFix ( Combo should be at c:\documents and settings\Lucy\Desktop\ComboFix.exe)

    On the Lucy account.
    You need to download the latest version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Please do the Combo fix that I posted and when done, attach that log as well as the new log from running MGTools.exe.
     
  9. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    OK managed to run SAS and MBAM on Dr M and Mark. I also ran SAS and MBAM on Nell and MBAM on Lucy. You already have the SAS log for Lucy. The other SAS scans were clean. I have attached all the MBAM logs as all showed something. I forgot to run the Ellie account but I did this after running Combofix/MG Tools and it is included in the next mail.
     

    Attached Files:

  10. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    I ran Combofix and updated version of MGTools as instructed. Logs attached plus the MBAM log for Ellie account.
    It's late here so I'll check back in tomorrow. Thanks again.
     
  11. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Files attached
     

    Attached Files:

  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    The Lucy account is clean. But I am concerned about the account from which the second MBAM log you posted ( the one that is 2.6kb in size ) ....you need to log into that account and try to run RootRepeal, Combofix and the MGTools scans. Please identify which account it is for me.
     
  13. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    The log came from Mark account which is the one I was using when the first pop ups started. It is this one that has task manager and regedit disabled. I have now got my desktop back by getting in via ie. I will now run the programs on that account.
     
  14. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    The plot thickens:)
    On Mark account tried to run RootRepeal - would not run as "Could not load driver (0xc0000061)!"
    Tried to run Combofix - Would not run "errors occurred while trying to run -see window for more details" or something like that as I did not try again. CFix locked up and I had to reboot.
    Tried to run MGLogs - would not run. MGTools reports "32bit Windows OS is found". Then the 16bit MS-Dos subsystem error - "......temp file could not be created.... and after closing this dialog box - "Registry editing has been disabled by your administrator"

    So no joy with these. What now?
     
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Let's go a different route on the Mark account.

    Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then double click on it to run it.

    AVPFind.bat

    It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the avplog.txt file that is will hopefully be created on your Desktop as long as the malware does not block the batch file from running. (See: HOW TO: Attach Items To Your Post)

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click and choose Run as Administrator


    You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    1. Rkill.exe
    2. Rkill.com
    3. Rkill.scr
    4. Rkill.pif


    * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.
    * If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run then try to immediately run the following.

    Now download and Run exeHelper from Raktor

    • Please download exeHelper to your desktop.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file named log.txt will be created in the directory where you ran exeHelper.com
    • Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    If you already have them installed, be sure to update Malwarebytes and SUPERAntiSpyware before the scan!

    Now run this: Using Malwarebytes Anti-Malware

    Now run this: SUPERAntiSpyware - running & getting a log

    Now run this: Using MGtools



    Now you need to attach (See: HOW TO: Attach Items To Your Post ) the below logs created while running the above scans

    • exeHelper log
    • Malwarebytes Anti-Malware log
    • MGlogs.zip - normally it is C:\MGlogs.zip - only attach this log from MGtools.exe DO NOT attach any logs seen in the MGtools folder.
     
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Additionally, I want you to log back into the Lucy account and using windows explorer, find this file:
    c:\windows\system32\drivers\Sysguard.sys

    right click it and tell me what the properties say. Does if have a signature. What program association.
     
  17. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Before I got your reply I ran MBAM again on Mark and got the attached. Had to reboot to finish removal.
    Opened Lucy and found
    c:\windows\system32\drivers\Sysguard.sys - System file,
    Unknown application. Created 03 August 2008, 21:22:00
    No signature. No info in the summary tab.
    Now to follow the different route....
     

    Attached Files:

  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    You don't need to do the AVP first part, but I am hoping that the MBAM scan took care of the issue with regediting and task manager.....plus, I will want you to uninstall all the programs that had been infected such as Adobe, QuickTime, iTunes , etc. But we will take care of that in the next fix.
     
  19. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    I am bit out of sync with you.
    I ran AVP and got the attached log.
    None of the Rkill programs would finish. Error "pev.rkexe has encountered a problem and needs to close. We are sorry for the inconvenience."
     

    Attached Files:

  20. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    I also rebooted and logged into Mark. Task manager and regedit still disabled.
     
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Since so many of the programs were infected, I want you to uninstall all of these:
    SonicStage
    Acrobat 7.0
    Photoshop Album Starter Edition
    ImageStudio
    SUPERAntiSpyware
    Real\RealPlayer
    QuickTime
    Symantec AntiVirus
    Yahoo!

    You can reinstall them after running CCLeaner and rebooting.

    Log into the Mark account after rebooting and see if you can run SAS and MBAM.

    Then see if you can download Blacklight Beta.

    * Download blbeta.exe and save it to the Desktop.
    * Once saved... double click blbeta.exe to install the program.
    * Click accept agreement and Click scan
    This app too may fire off a warning from antivirus. Let the driver load.
    Wait for it to finish.
    * If it displays any items...don't do anything with them yet. Just hit exit (close)
    * It will drop a log on Desktop that starts with fsbl....big number

    Please post contents of the BlackLight log.

    Also attach SAS and MBAM logs.
     
  22. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Deleted all files requested. Making progress. Task manager now runs on Mark.
    although no still no desktop when I log in I can get through running explorer via Task Manager.
    Ran CCleaner and rebooted.
    Ran SAS and MBAM on Mark. Logs attached.
    Could not run Blacklight on Mark as not Admin account.
    Running on Lucy. Still running...
    I have not reinstalled Symantec AV - this came via my work and is no longer supported. I would like to install something more effective. Am thinking of installing AntiVir Personal Edition.
     

    Attached Files:

  23. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Blacklight download as fsbl.exe and not blbeta.exe. Started to run this on Lucy but just sat there on Step 1 Scanning processes and went no further even when I left it for a few hours. Tried several times and had to exit via stopping through task manager as Exit (close) command would not work.
    I have now installed Avira Antivir instead of Symnatec AV. I ran a scan and it found 44 items. I have also now got SAS Professional with the Realtime scanner.
     
  24. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    I need you to run MGTools on the Mark account. I would also like to see the log from Avira showing what was found.
     
  25. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Here is the log from Avira which was run from Lucy account. I will now run MGTools on Mark.
     

    Attached Files:

  26. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Running MGTools on Mark was problematic. Lots of error messages - "32bit Windows OS is found". Then the 16bit MS-Dos subsystem error - "......temp file could not be created.... I hit ignore repeatedly and the program seemed to continue but then ended prematurely and I don't think a log was made as there are no new files in MGLogs.zip
     
  27. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  28. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    I took the actions at the link and then ran MGTools on Mark again.
    Got exactly the same error message again. In full it says:
    Dialog headed up 16 bit MS-DOS Subsystem
    C:\WINDOWS\system32\cmd.exe
    C:\DOCUME~1\MARK~1.FUN\LOCAL~1\Temp\. A temporary file needed for initialization could not be created or could not be written to. Make sure that the directory path exists, and disk space is available. Choose "Close" to terminate the application.

    I hit "ignore" again multiple times and again MGTools ended with no log.
     
  29. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Try doing this:

    Go to start / run / and type:
    cmd
    when the command prompt appears, type:
    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.


    If it runs, attach the log.
     
  30. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Got the same error up but with
    C:\WINDOWS\system32\cmd.exe ShowNew
    I hit ignore several times and this time a log popped up - newfiles.txt which I've attached.
     

    Attached Files:

  31. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Yes, the log is empty. Sigh. Is ComboFix on the desktop in the Mark account? If so, rename it to something else ( like svchost.exe ) and see if it will run then. We may need to just delete that account and create a new one. But I am afraid that there are still things that may be infecting you out of that account.

    Also, try running:
    GMER - running with a random name and attach the log from GMER.
     
  32. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Hi TimW. I have been away for a few days but thanks for your latest post.
    I followed your instructions. ComboFix is on the Mark desktop but will not run even when renamed svchost.exe. It says "Some files could not be created. Please close all applications, reboot Windows and restart this installation". Just a note that when I double click the icon I get the choice to run as current user Mark with a tick box in the "Protect my computer......etc." or as Lucy (the only admin account now). I select the former - but should I try to run it as Lucy?

    In the case of GMER. I followed the instructions. I ran it as Mark. It comes up with the error - Load Driver ("C:\DOCUME......Temp\pxtdypoc.sys" error 0xC0000061:Access is denied.
    Then various other error messages. I hit Scan and various other error messages come up then finally "GMER hasn't found any system modification". I can't see any log.

    Avira came up with 6 Trojans when it did last nights scheduled scan.

    Is it time to delete Mark (gulp!)
     
  33. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Just knowing that the GMER scan did not detect any system modification. Could you attach the Avira scan?

    Can you get online in the Mark account? If so, try try running the below online scan:

    http://www.superantispyware.com/onlinescan.html

    Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. It does not save a log.

    Can you do any of the alternative scans mentioned HERE?
     
  34. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    I can get online OK on Mark account no problem. Attached is Avira scan. I will try others and report.
     

    Attached Files:

  35. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    All of that was malware in your system restore folders. They can only be removed by toggling system restore, which we will do later.

    Let me know how any of the alternative scans work.
     
  36. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    The SAS online scanner downloaded fine but when I ran it, it said it needed to be run from an administrator account. Shall I switch Mark to an admin account?
     
  37. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Yes!!
     
  38. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Managed to run SAS online and it got rid of 4 malware hiding as SVCHost.exe (x3) and also it found Registry Key for Combofix.exe.
    I rebooted for removal.
    Noticed that Combofix has gone.
    Tried to run GMER and it ran but the gave me a BSOD.
    Downloaded Combofix to Desktop as CF.exe and ran it and it completed! Enclosed is the log.
     

    Attached Files:

  39. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Now have run MGtools and log is attached.
     

    Attached Files:

  40. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    You do realize that when you log into the Mark account, you are actually logging into the Mark.FUN1 account.

    Use windows explorer to find and rename:
    c:\windows\system32\drivers\.sys by adding an .old to the end.

    Tell me what issues you are still having on this user account.
     
  41. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    I was aware that when I was referring to the Mark account it was actually Mark.FUN1. FUN1 is the computer name and when I originally set this computer up I think Mark.FUN1 was created from the original Mark account although I don't recall the details. Was it something to do with the .NET Framework?
    Mark is not set up as normal user account - No Desktop or My Documents and is not used. Should I do anything to clean this position up?

    I have renamed .sys to a.sys.old as it would not let me just add .old

    Ran a few more scans today. Avira found W95/Bumble - this seemed to appear after I had run Panda (which did not find anything).

    Ran MBAM - clean.
    RootRepeal - log attached.
    Spybot S&D found 2 items - log attached
    Installed and a squared free - found malware - log attached

    Not seeing particular problems on this account now - just the scan hits.
     

    Attached Files:

  42. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    That usually indicates that the Mark account became corrupt and the computer created a salvaged account with that name. You can delete the Mark account and once done, you may be able to rename the Mark.FUN1 account back to Mark.

    Otherwise, are you having any additional issues with any other account or the computer as a whole?
     
  43. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Thanks for the info on the Mark.FUN1 account. I'll will have a go at doing as you suggest.
    Actually everything looks back to normal and even the desktop on Mark.FUN1 now open without me having to use Task Manager.
    All other accounts appear fine although I have not run scans on each of them.
    Do you think I'm clean now?
     
  44. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    I was not seeing any additional malware in your logs.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
  45. SparkySparky4

    SparkySparky4 Private E-2

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    Clean up completed and restore point refreshed.
    I already purchased SAS Pro so hopefully that will help keep things clean and Avira seems to be a decent AV. Fingers crossed.
    Many thanks for your help and patience.
    Mark.
     
  46. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Still Malware problems after following READ ME FIRST procedures - help! (please..

    You are most welcome. Safe surfing. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds