Help with Virus Removal

[Rudy9443]

I have been having issues cleaning out my mothers computer. It started pretty much non-functional and can now get on to the internet but am looking to fully clean it out. I have gone through the required procedures before posting. Thanks in advance for the help!

[TimW]

Quote:

Originally Posted by Rudy9443

I have gone through the required procedures before posting.

If so, then you need to attach the following logs:
ComboFix
RootRepeal - if it runs
C:\MGLogs.zip

[Rudy9443]

Sorry about leaving those items out. I can not get combofix to run, after the installation it just closes out. I am also running an x64 version of windows so I did not run RoorRepeat. I am attaching the mglogs.zip.

[TimW]

Are you missing any desktop shortcuts or items in your start menu? If you are, run this:

Please download and save the below tool from Grinler @ bleepingcomputer to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

http://download.bleepingcomputer.com/grinler/unhide.exe

Now run it. Now see if you can find the items that seemed to be missing?

Now:
Download OTL to your desktop.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"VHuvoNRQPlUqRK.exe"=-

[HKEY_USERS\S-1-5-21-1579993864-145787240-3840347156-1003\Software\Microsoft\Windows\CurrentVersion\run]
"VHuvoNRQPlUqRK.exe"=-

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Double-click OTL.exe to start the program.

• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:

:processes
:killallprocesses
:files
C:\ProgramData\VHuvoNRQPlUqRK.exe
C:\ProgramData\-vGUVeSYEoDp3bW
C:\ProgramData\vGUVeSYEoDp3bW
C:\Users\KAT.Grass-PC\AppData\Local\Temp\148.dir
C:\Users\KAT.Grass-PC\AppData\Local\Temp\148.tmp
C:\Users\KAT.Grass-PC\AppData\Local\Temp\3BB1.tmp
C:\Users\KAT.Grass-PC\AppData\Local\Temp\ASK13BE.tmp
C:\Users\KAT.Grass-PC\AppData\Local\Temp\D81.tmp
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click the OK button.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:

* C:\MGlogs.zip

Make sure you tell me how things are working now!

[Rudy9443]

I still can't get ComboFix to run but here is the MGlog.zip. I ran the McAffee that is on the computer and so far it hasn't detected anything! Am going to run SuperAntiSpyware and MalwareBytes just to make sure.

[Rudy9443]

Just ran all the rest of my scanners and didn't come up with any threats! The only thing is that I can't change the desktop background for some reason. Any ideas?

[TimW]

Quote:

Originally Posted by Rudy9443

Just ran all the rest of my scanners and didn't come up with any threats! The only thing is that I can't change the desktop background for some reason. Any ideas?

Your logs are clean. I suggest you post in the software forum for additional assistance with your desktop.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0