Malware Removal/Cleaning Procedure

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by EJN, Jul 6, 2011.

  1. EJN

    EJN Private E-2

    Hello,

    I have Windows 7 on my HP laptop. One or two times every week Windows freeze completely, and I have to reboot my laptop by pressing power button.

    I have run Malware Removal/Cleaning Procedure. SuperaAntiSpyware detected and removed Trojan and Browser Hihacker Tubby. I rerun SAS and it shows, that everything was clean.

    This is my two logs.
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Would still like to see the logs from those if you don't mind. :) Thanks.
     
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What are you currently using for antivirus?

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Delete these folders as long as they are all empty, if not let me know.

    C:\Users\Elena\AppData\Local\{0C8AFBAD-4679-4201-8E13-9C4EAA7E5130}
    C:\Users\Elena\AppData\Local\{22C2E86F-B23A-4AC7-8A6F-51006798B047}
    C:\Users\Elena\AppData\Local\{B8FAA780-8D9C-457A-9705-A4E8D4466617}
    C:\Users\Elena\AppData\Local\{D2E82020-0803-49D4-83C2-F84484116D4B}
     
  4. EJN

    EJN Private E-2

    Thank you very much! A message was - success. I deleted all four empty folders.

    I had SpyDoctor and AVG, but deleted it. Now I have only Microsoft Security Essentials.
     
    Last edited by a moderator: Jul 6, 2011
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Strange, it does not show as installed according to your logs. Did you uninstall it before running the scans?

    Did you see my post number two?
     
  6. EJN

    EJN Private E-2

    :-o I have only those two logs, that I have already attached to my first post. Should I have more logs? If yes, where can I find them on my comp?
     
  7. EJN

    EJN Private E-2

    I disabled it before running Cleaning Procedure. Now I turned it on again.
     
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    They exist here:


    C:\Users\Elena\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\SUPERAntiSpyware Scan Log - 07-06-2011 - 17-06-57.log
    C:\Users\Elena\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\SUPERAntiSpyware Scan Log - 07-06-2011 - 18-28-37.log
    C:\Users\Elena\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2011-01-06 (22-24-36).txt
    C:\Users\Elena\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2011-07-06 (16-21-06).txt

    It is not majorly important that I see them, but sometimes users do not update these softwares and I can see this from the logs.

    Yes but even so it should show as being physically installed despite the fact you disabled it.
     
  9. EJN

    EJN Private E-2

    I checked its location. MSE is installed in Program Files/Microsoft Security Client/msseces.exe

    Thank you for helping to find logs on my comp. Here is the rest of them.
     

    Attached Files:

  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes but does it show in add/remove programs? :confused (Not according to the logs)
     
  11. EJN

    EJN Private E-2

    Yes, it does.Version 2.0.657.0 Installed on 1/28/2011. It is running a full scan right now.
     
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I give up. These are the only things showing in the logs with "Miscrosoft" in the title. No sign of Security Essentials there...

    Tell me what malware problems remain? I think we can wrap up soon. :)
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is likely due to x64. I have included a few other registry keys in the searched done by MGtools to allow for the fact that x64 system can use other registry keys for the Uninstall Programs list. Perhaps there is still one or more I need to include to find it.

    So EJN, if you would be so kind as to run the below, maybe we can locate this registry key to add to our search locations.


    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :regfind
      Essentials
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
    • Please attach the SystemLook.txt log found on your Desktop to next reply.
     
  14. EJN

    EJN Private E-2

    Thank you for your help.

    Attached is a SystemLook log.
     

    Attached Files:

  15. EJN

    EJN Private E-2

    It was two busy days, and I didn't have a chance to get to my laptop. So far it looks fine today. Thank you so much for your help. :)
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Last edited: Jul 9, 2011
  17. EJN

    EJN Private E-2

    Starting yesterday my Chrome browser became extremely slow. I run Malwarebytes and SUPERAntiSpyware one after another. Everything is clean, but a browser is slow.

    This is a log attached.

    Thank you very much for all your help.
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that last log from SystemLook x64 shows MSE installed and that is the reg key that MGtools looks at. I think that it does not show in MGtools though because MGtools is not running as a 64bit application.

    Try IE and tell us what happens. Last time I looked at your logs, when you had Chrome opened, you had a ton of tabs opened which caused about 16 chrome processes to be running which are eating up memory and CPU cycles.
     
  19. EJN

    EJN Private E-2

    Duplicate
     
  20. EJN

    EJN Private E-2

    I uninstalled Chrome, and checked Physical Memory. It is only 762 MB total, and RAM is 3 GB.
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Actually your total available memory for program use is only 2.74 GB because you use the other for your graphics card. This is shown in your sysinf.txt log inside of MGlogs.zip.

    You will have to check what is eating up the other 1.978 GB by looking at your complete process lists for all users and seeing where the memory is going. Are you sure that chrome is really gone? Run MGtools again and attach a new log. Shutdown ALL browsers while it is running.


    Also, please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
  22. EJN

    EJN Private E-2

    When I started my laptop this morning and checked Physical memory, it was 2810. 30 mins later it is 762.

    Attached is MBRCheck log.
     
  23. EJN

    EJN Private E-2

    Attachment - MBRCheck log
     

    Attached Files:

  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

  25. EJN

    EJN Private E-2

    I ran MGtools and MBRCheck again. MBRcheck has detected SteelWerxWhoAmI, but only closed it, not deleted.
     

    Attached Files:

    Last edited: Jul 12, 2011
  26. EJN

    EJN Private E-2

    Sorry, I made a mistake. :-o MGTools has detected SteelWerxWhoAmI.
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Nothing said it "detected SteelWerxWhoAmi" . See the message in the command prompt window. There is nothing to delete. You just needed to do what it said and wait for the close button and close it to continue.

    You have an MBR infection, do you have your Windows 7 bootable DVD?
     
  28. EJN

    EJN Private E-2

    No, I don't have it. Can I use Windows 7 DVD from my desktop? Can I still transfer some files on a portable drive, or it will be infected as well? Or can I transfer these files on CD safely? I have some files transfered to Adrive online a couple days ago. Can I download them back later, will it infect my comp again?
     
  29. EJN

    EJN Private E-2

    My HP laptop still is under warranty. I talked to HP, and now I have three genuine Windows 7 DVDs.
     
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes there is a possibility that an external portable drive could become infected if plugged in, but this more frequently happens if the device is plugged in while the infected hard disk is being booted which causes the MBR to be accessed. So you lessen the chance by making sure the portable drive is not plugged in while booting or shutting down your PC.


    Now that you have the DVD, you need to boot from it to access the Windows 7 System Recovery Environment. You can read details about this in the below link:

    http://www.bleepingcomputer.com/tutorials/tutorial161.html

    Once you have gotten to the command prompt, you need to run the below command

    bootrec.exe /fixmbr


    Then you will reboot normally back to Windows and attach a new log from MBRcheck
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds