MajorGeeks Support Forums

MajorGeeks Support Forums (http://forums.majorgeeks.com/index.php)
-   Malware Removal (http://forums.majorgeeks.com/forumdisplay.php?f=35)
-   -   What do I need to Remove? (http://forums.majorgeeks.com/showthread.php?t=154806)

c1cdj 03-17-08 10:37

RE: Read Me & Run Me First
 
3 Attachment(s)
I followed the instructions in Read Me & Run Me First. All seems to be working fine. My question is that I have a valid version of Windows XP Pro that was installed while using my computer at the office. I no longer work there and my computer is now at home. I get a message from Windows that I am no longer considered valid because my copy now has a blocked Volume License Key. I also was not given the Windows disk. I know I'm going to have to do the upgrade thing they want you to do but am unable to afford it yet. I get Automatic Updates but I know they probably aren't complete. Am I at least partially protected after doing the steps in Read Me & Run Me First? :confused

chaslang 03-18-08 00:03

Re: Read Me & Run Me First
 
Welcome to Major Geeks!
Quote:

Originally Posted by c1cdj (Post 1124541)
Am I at least partially protected after doing the steps in Read Me & Run Me First? :confused

That is not the main goal of the READ & RUN ME, although taking some of the steps in there (like with Spybot's Immunize and updating Sun Java) do given some added protection. The goal of the READ ME is to remove malware from your PC and you do not appear to have any.

If you wish to look into to protection, that is in another sticky thread:

How to Protect yourself from malware!

c1cdj 03-20-08 10:52

What do I need to Remove?
 
I read a note somewhere on your site telling someone to remove certain things after using the READ ME & RUN ME FIRST guide. I used it and submitted my logs. I was just wondering if I needed to remove anything.

chaslang 03-21-08 11:15

Re: What do I need to Remove?
 
Quote:

Originally Posted by c1cdj (Post 1125936)
I was just wondering if I needed to remove anything.

Yes you can do the below.
  1. UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN
    • Now type cf /u in the runbox and click OK.
    • Note: The space between the cf and the /U, it must be there.
  2. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

c1cdj 03-24-08 13:41

Re: What do I need to Remove?
 
I think I messed up. I deleted combofix (cf.exe) before I read your message now McAfee keeps saying it is detected way down in the bowels of my computer where I cannot go. Will I still be able to do the READ ME & RUN ME FIRST again as suggested by Tim? I am still having problems with my cpu running at 100%. I watched McAfee scan for 5 hours right by some porn sites listed as domains. I also rec'd a message from McAfee that an infected e-mail had been deleted. When I initially did R&RMF all was well for a couple of days and then started getting slow again. I went to pacs portal and it says there are all kinds of things running put there by worms and trojans! McAfee supposedly killed JS Wonka and PUPER KK and the Zlob CD & Zlob CE have also been in here.
Tim wants me to attach the logs from my scan, but I already sent them to you for the one and only time I've done it. You said I did not appear to be infected. Do I do the R &RMF again or are there other things you suggest? I would really appreciate working with you since you are somewhat familiar with my situation.

chaslang 03-25-08 01:43

Re: What do I need to Remove?
 
Quote:

Originally Posted by c1cdj (Post 1127946)
I think I messed up. I deleted combofix (cf.exe) before I read your message

Just download it again to your desktop and then use the uninstall command.

Quote:

Originally Posted by c1cdj (Post 1127946)
now McAfee keeps saying it is detected way down in the bowels of my computer where I cannot go.

I have no idea what you mean.

Quote:

Originally Posted by c1cdj (Post 1127946)
Will I still be able to do the READ ME & RUN ME FIRST again as suggested by Tim?

Again I don't know what you are referring to. Are you working in another thread with Tim? If so, then work in that thread only.

Quote:

Originally Posted by c1cdj (Post 1127946)
I am still having problems with my cpu running at 100%.

In your first message in this thread you said
Quote:

All seems to be working fine.
If you are having problems you should be completing the READ ME and attaching the logs as requested. No logs = No help. Also if you are working in another thread, I repeat stay in that thread.

Quote:

Originally Posted by c1cdj (Post 1127946)
Tim wants me to attach the logs from my scan, but I already sent them to you for the one and only time I've done it. You said I did not appear to be infected. Do I do the R &RMF again or are there other things you suggest? I would really appreciate working with you since you are somewhat familiar with my situation.

You said things were fine, and then they became bad again. Thus the answer is start over again. Make sure you look carefully at the READ ME cleaning instructions for your Windows version because they have changed. ComboFix is not in the steps right now.

c1cdj 03-26-08 09:00

Re: What do I need to Remove?
 
1 Attachment(s)
I am beginning all over again. I started with The Special Removal procedures for SmitFraud/Zlob. Attached is the first log.

c1cdj 03-26-08 09:47

Re: What do I need to Remove?
 
1 Attachment(s)
Special Removal Procedures, SmitFraud/Zlob, second log attached.
Also, during my reboot, I got a message from both Super Anti Spyware and McAfee saying something wanted to change my Comcast Homepage to something else and I had to block the change. In addition, my desktop is now blue instead of black as I had it. What do I do to change it back?

chaslang 03-26-08 23:22

Re: What do I need to Remove?
 
Why are you running SmitFraudFix? You do not have a smitfraud/zlob infection.

If you are having malware problems, you need to run the READ & RUN ME and then afterwards if you still have problems, attach the requested logs and tell us what problems you are having but as I stated in message number 2, your first set of logs showed no malware so I'm not sure what you are trying to accomplish unless you really have become reinfected. Again if you feel you are reinfected, run the READ ME.

c1cdj 03-27-08 08:08

Re: What do I need to Remove?
 
I've had problems since Feb 26. I was having hundreds of pop-ups saying I had a back door trojan and wanting me to purchase their programs to remove it. My CPU began running at 100% with stuff taking forever to open or not opening at all, the hourglass was coming up for no reason continually and when it did the whole screen would "burp" or skip almost blink.
I am unskilled at more than basic computer maintenance. I went to Symantec for guidance, downloaded Norton System Works and ran it daily after McAfee Security Suite, which is supplied by Comcast. McAfee removed PUPER and JS WONKA. Norton removed a bunch of other stuff, my trial expired, and I uninstalled it but kept McAfee. Still having pop-ups of a backdoor trojan and a new toolbar appearing on IE browser, I searched online for malware removal, did online scans which pickedup and tried to remove Zlob CD.
I found Major Geeks, immediately signed on and did the READ & RUN ME FIRST, sent in my logs and every thing seemed to work for a couple of days. System began running at 100% again, the constant hourglass and screen blinking, stuff asking for registry changes and internet access. In one of your messages you said to start over with R&RMF, so I did. At the very begging of R&RMF it has Special Removal Procedures if you know what you have so I ran SmitfraudFix due to Zlob being the thing that kept showing up in all of the scans repeatedly. Even after running SmitfraudFix, as I rebooted, a pop-up asked me to change my homepage and I blocked the change.
I do not know how to do this stuff. I've owned my computer since 2000 and I know that there is a problem. I am hoping to learn alot from you. Please, Mr. chaslang, help me. I had intended to continue on with my second time of R&RMF after I heard from you regarding the SmitfraudFix logs.

chaslang 03-27-08 12:52

Re: What do I need to Remove?
 
Please just skip the Special Removal Procedures and run the rest of the READ ME and attach all of the requested logs. You will notice that ComboFix is not in the READ ME at this time. Make sure you use the current online version of the READ ME.

c1cdj 03-28-08 14:14

Re: What do I need to Remove?
 
2 Attachment(s)
I have finished Read & Run Me First. Attached are the only logs generated. Super Anti-Spyware did not find anything and made no log. SpyBot Search and Destroy did not find anything. I'll wait to hear from you before continuing. Let me know when it's time to toggle system restore.

chaslang 03-29-08 01:52

Re: What do I need to Remove?
 
Your logs do not really show any major problems other than what Malwarebytes already removed. I do have a few things that you should do though.


First you must get out of the habit of saving downloads into the C:\Program Files folder. This folder should only contain installed programs, not downloaded files. If you need the below files, move them somewhere else or delete them.
Code:

C:\Program Files\
defrag~1.exe Mar 24 2008 1978240 "DefragSetup.exe"
firefo~1.exe Mar 18 2008 6029648 "Firefox Setup 2.0.0.12.exe"
micros~1.lnk Mar 12 2008 104 "Microsoft Outlook.lnk"
spybot~1.exe Mar 16 2008 9722720 "spybotsd152.exe"
supera~1.exe Mar 16 2008 6342680 "SUPERAntiSpyware.exe"
winmx353.exe Feb 1 2008 823296 "winmx353.exe"


Download HostsXpert and then follow the below steps.
  • Unzip HostsXpert.zip
  • It will create a folder named HostsXpert in whatever folder you extract it to.
  • Run HostsXpert.exe by double clicking on it.
  • click the Make Writeable? button.
  • click Restore Microsoft's Hosts File and then click OK.
  • Click the X to exit the program
Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) -

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
  1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
  2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
  3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now run Ccleaner!

c1cdj 03-29-08 09:01

Re: What do I need to Remove?
 
I have completed everything you told me to and set my homepage to MajorGeeks.com.
I await further instructions.
When do I toggle System Restore?

c1cdj 03-29-08 13:27

Re: What do I need to Remove?
 
1 Attachment(s)
McAfee froze up trying to tell me about registry changes that were trying to be made and a bunch of other stuff when I did the Reset Internet Explorer. I decided to run Malwarebytes again. Log is attached. Should I do something else?

chaslang 03-29-08 13:42

Re: What do I need to Remove?
 
Quote:

Originally Posted by c1cdj (Post 1130447)
McAfee froze up trying to tell me about registry changes that were trying to be made and a bunch of other stuff when I did the Reset Internet Explorer.

Shutdown or uninstall McAfee then and do the steps again as all it did was block you from making the changes we were trying to make. That's is unless it gives you the option to allow the changes. Then just allow the changes. You are the one making the changes so you need make sure you accept them.

c1cdj 03-29-08 16:31

Re: What do I need to Remove?
 
I re-did the Reset Internet Explorer and this time it seemed to go ok. What else can I do to get this baby "right" again? Are there any other things I need to run? Is it safe to continue on as normal? Do I do a toggle system restore yet?
I'm ready for the next step, sir.

chaslang 03-30-08 00:03

Re: What do I need to Remove?
 
If you are not having any other malware problems, it is time to do our final steps:
  1. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\cf" /u
      • Notes: The space between the cf" and the /u, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  2. If we had you run Avenger, you can delete all files related to Avenger now.
  3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  4. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
  5. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  6. After doing the above, you should work thru the below link:

c1cdj 03-30-08 12:21

Re: What do I need to Remove?
 
I am becoming frustrated with this!!! I did the things listed in your last thread except remove MGTools. I feel the need to keep it.
Upon reboot after turning back on System Restore, Super Anti-Spyware popped a box up, again, saying that I was being asked to change my home page from Majorgeeks.com to msn........redirect..... I forget it all but I blocked the change. I decided to again run Malwarebytes. It turned up, and I deleted,
Trojan.Agent C:\windows\system\SYSRegC.dll.
What does all this mean? Is there STILL stuff in here that I haven't addressed?
Is there more I could do? I am SO READY for this hassle to be over and done.
Also, after the reboot, the Java Icon showed up in my tray. I went to the Java file in Program files, in the Bin, I found jusched.exe and deleted it.
Probably not the thing to do but I'm about to lose all my patience.
What do you suggest?

chaslang 03-30-08 22:16

Re: What do I need to Remove?
 
Quote:

Originally Posted by c1cdj (Post 1130855)
Upon reboot after turning back on System Restore, Super Anti-Spyware popped a box up, again, saying that I was being asked to change my home page from Majorgeeks.com to msn........redirect..... I forget it all but I blocked the change

Why?? This is what I asked you to change your home page to back in message # 13? What's the problem? You should not be blocking the change. It is what we were trying to do.


Quote:

Originally Posted by c1cdj (Post 1130855)
I decided to again run Malwarebytes. It turned up, and I deleted,
Trojan.Agent C:\windows\system\SYSRegC.dll.

This was deleted previously. However it is just due to what you installed on your PC. Are you the one who installed Max Registry Cleaner? If not then uninstall it. It is not malware so Malwarebytes is incorrect in deleting it.

Quote:

Originally Posted by c1cdj (Post 1130855)
Also, after the reboot, the Java Icon showed up in my tray. I went to the Java file in Program files, in the Bin, I found jusched.exe and deleted it.
Probably not the thing to do but I'm about to lose all my patience.
What do you suggest?

It is just the autoupdate program for Sun Java and is not a problem. You can disable autoupdating if you prefer.


All times are GMT -5. The time now is 13:56.

Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger