Malware Problems. A little help....

Hi Rayster


The Read Me guide if thats what your refering to as the rules are upto date as malware is moving on so to the steps in the guide move with the times too, just the original post was made in 06-23-04 but the edits to that post/thread are currently at 09-14-07 ( all applications mentioned in the guide for download are at their last known current version too )


http://forums.majorgeeks.com/showpost.php?p=664939&postcount=2

So please do run that guide and attach the logs requested.

 

You did not attach the correct log from the BitDefender scan. What you attached is a log summary which is not useful and does not tell us exactly where things were found nor whether they were fixed.

Also you skipped a required step! CounterSpy or AVG Antispyware should have been run right after running Spybot. Also a log from one them should have been attached. Also you did not follow the step for Spybot. You are using version 1.4 and version 1.5 has been available for quite awhile now. The READ ME is up to date but you need to click the links given in it to make sure you are using current tools.

Why do you have so many newly installed drivers and DLL files? Was a lot of software just installed on this PC? On second look, it appears from your Program Files folder that you did just installed about 61 new programs since Oct 16 th. This can be a dangerous thing to do because it would be impossible to determine what software could be causing a problem (if problems occur) because too many thinks were installed in such a short time frame. In addition, it make it extremely difficult for us to locate any potential problem files on your PC since almost everything is new and this makes your logs huge with thousands of things to look at. This makes it even more important that you run the automatic scanners. So please run either CounterSpy or AVG Antispyware now and attach the log. Then continue on.


Download this file - combofix.exe

1. Double click combofix.exe & follow the prompts.
2. When finished, it will produce a log ( C:\combofix.txt ) for you. Attach this log to your next reply See: HOW TO: Attach Items To Your Post

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

The delete the below files if found:
C:\WINDOWS\system32\TUKernel.exe
C:\WINDOWS\system32\Sys32\NBRY.007_tobedeleted_old

Also tell me what else is in the C:\WINDOWS\system32\Sys32 which is not a normal folder to have and appears to be very questionable.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT
4. the ComboFix log

Make sure you tell me how things are working now!

 

No they are not online scanners. They are in the READ & RUN ME and you only need to run one of them. We ask for CounterSpy first and if it cannot be run for any reason we ask that you then run AVG Antispyware in its place.

For now, just uninstall the 1.4 version and installe the 1.5 version. Make sure you uncheck the option that enable Teatimer during the installation.

Don't worry about it now. If we run into any problem trying to get things fixed, we may need to re-run it later and get the correct log.

No you don't need to do that. Just run eiether CounterSpy or AVG Antispyware and attach the log. Then move on to the instructions I gave where you use ComboFix and continue from there.

 

The instructions in the READ ME give the below information

If you still cannot get this log, just move on to the other steps I have given you.

I'm not saying you should uninstall anything. I'm just saying that installing so much software in such a short time from is not a great idea. When and if you run into problems (like you have now) it will be difficult to determine what may be causing your problems since so much has been changed. In addition, as I already stated, it makes reading your logs extremely difficult because we are looking for new files while searching for possible malware. And since you have so many new files, it is almost very very hard to find any particular malware file when mixed in with thousands of new files.

 

I don't need any info on what is in C:\Program Files since it is already in your logs and that is why I mentioned that a lot of stuff was just installed. This forum is only for malware topics. You still have not completed what I requested in message # 5. You need to answer my questions and you need to attach the other requested logs.

 

That was before running the instructions in message # 5. Message # 5 asks for new logs after the instructions have been followed.

And you still have not answer my questions:

1) Also tell me what else is in the C:\WINDOWS\system32\Sys32 which is not a normal folder to have and appears to be very questionable.

2) How are things running?

 

Until you post the follow up logs I have requested multiple times I cannot answer your questions.

And in addition a question like "is my computer safe now" can never be answered with 100% certainty. If your logs do not show any malware, it really just means that we are not seeing any malware based upon what is in the logs. So when I see your logs I will be able to tell you whether your logs are clean or not. The only real way to know a system is totally clean is to re-partition (without backing up any data since it cannot be trusted to be clean), formatting, and then reinstalling from original CD (not copies) that came from Microsoft and from all of the other companies whose software you use.

 

You're logs are clean.

You should uninstall the Sunbelt CounterSpy trial program now since we are finished with it.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!