Cannot open Major Geeks site, Could Not complete Cleaning Steps, Got ONLY MGTools Log

monalisa · Nov 12, 2008

Hello,
My laptop got affected with some malwares following which I first did a full scan with Symantec Antivirus. It detected some rootkit, bleep (dont remember all) which it apparently deleted permanently after reboot.

After using CCleaner, Used Spybot Seach & Destroy - it found some threats which it fixed.

I scanned with SuperAnti-Spyware - which detected some items and deleted them after a reboot.

I later realised I should have run the spybot after SAS, so I ran the spybot one more time now - it did NOT find any threat this time.

Things got bad after this - following is whats happening now:

1. SInce I forgot to get the log for SAS scan, I tried to open it - I am getting a msg " SAS encountered a problem, it need to close down".

2. When connected to the internet, if I google "Major Geeks", the search results are showing the Major geeks website link, but when I click on it, its saying "page not found", whereas I can evidently access the sites from other computers!!

3. I had MABM installed from the past - but the program is NOT opening!! So I thought I will email myself the MABM, COMBOFIX & MGTools applications, downloaded them to the infected computer. Tried to install MABM - the program stopped in the middle, so couldnt finish the installation.
Tried to uninstall old MABM, that program stopped too.

3. Since Major Geeks webpages were inaccessible from the infected laptop, I tried to type in the actual web-address from where COMBOFIX could be downloaded, - it took me to weird clearly-bad sites.

4. After downloading the COMBOFIX application from email, I double-clicked it - The program will NOT Open.

5. The only thing that ran now was the MGTools. I am attaching that log.

Could you pls review the log and help me clean the computer?

Thanks.

Monalisa

monalisa · Nov 12, 2008

Re: Cannot open Major Geeks site, Could Not complete Cleaning Steps, Got ONLY MGTools

I forgot to mention - my homepage settings in firefox is not affected or altered, other sites that I commonly visit are also working ok.

dr.moriarty · Nov 16, 2008

Re: Cannot open Major Geeks site, Could Not complete Cleaning Steps, Got ONLY MGTools

Hello, monalisa

First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix. Print out these instructions or save them to a text file so as All Browser Windows must be CLOSED.

Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.anandabazar.com/
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [msupdate.exe] C:\WINDOWS\system32\msupdate.exe -check
O4 - HKUS\S-1-5-18\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [supportdir] cmd /c "rmdir /q /s "C:\WINDOWS\TEMP\{7726CF62-7B45-4E6D-9266-615346816BCA}"" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.anandabazar.com/wfplayer/tdserver.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
Click to expand...

Again, make sure ALL browser windows are closed when you click FIX.

Step 2:
Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"msupdate.exe"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"ISUSPM Startup"=-
"ISUSScheduler"=-
"QuickTime Task"=-
"SunJavaUpdateSched"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"configmsi"=-
"supportdir"=-
"rrgui"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispBackgroundPage"=-
"NoDispSettingsPage"=-
"NoDispAppearancePage"=-

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"ResetWebSettings"=-
Click to expand...

Step 3:
Now download The Avenger by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop

Run avenger.exe by double-clicking on it.

Do not change any check box options!!

Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Files to delete:
C:\-14660~1
C:\hnad.exe
C:\vdivc.exe
C:\wnkhhkk.exe
C:\WINDOWS\asr.ini
C:\WINDOWS\crn.prf
C:\WINDOWS\sthvcd.ini
C:\WINDOWS\system32\procdb.ini
C:\WINDOWS\system32\av.dat
C:\WINDOWS\system32mkrnl.exe
C:\WINDOWS\system32wini10~1.exe
C:\WINDOWS\system32\msupdate.exe
C:\Documents and Settings\All Users\Application Data\tvt_us~1.ini
C:\Documents and Settings\Srijit Mukherjee\Local Settings\temp\acra3d2.tmp
C:\Documents and Settings\Srijit Mukherjee\Local Settings\temp\incasnet.exe
C:\Documents and Settings\Srijit Mukherjee\Local Settings\temp\IS-BN63U.TMP
C:\Documents and Settings\Srijit Mukherjee\Local Settings\temp\IS-G9B9C.TMP
C:\Documents and Settings\Srijit Mukherjee\Local Settings\Application Data\gdipfo~1.dat

Folders to delete:
C:\WINDOWS\system32\SX3I19
Click to expand...

Now click the Execute button.

Click Yes to the prompt to confirm you want to execute.

Click Yes to the Reboot now? question that will appear when Avenger finishes running.

Your PC should reboot, if not, reboot it yourself.

A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Step 4:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

C:\Avenger.txt

C:\MGlogs.zip

* Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now. Also - let me know if you now can connect to the internet on the infected machine.

Log in or Sign up

Cannot open Major Geeks site, Could Not complete Cleaning Steps, Got ONLY MGTools Log

monalisa Private E-2

Attached Files:

MGlogs.zip

monalisa Private E-2

dr.moriarty Malware Super Sleuth Staff Member

Log in or Sign up

Cannot open Major Geeks site, Could Not complete Cleaning Steps, Got ONLY MGTools Log

monalisa Private E-2

Attached Files:

MGlogs.zip

monalisa Private E-2

dr.moriarty Malware Super Sleuth Staff Member

Useful Searches