MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #21  
Old 03-08-10, 03:47
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 27,154
Thanks: 692
Thanked 3,337 Times in 3,265 Posts
Default Re: Malware/virus NOT removed + RR hangs

Quote:
In the log i posted below, this entry looks supsicious in the combofixlog dont you think?
It relates to power DVD. Not malicious and nothing to be concerned about.

Now then, I want you to update both SUPERANTIspyware and Malware Bytes. Re scan with each, fix all it finds and attach the logs they create into your next reply.

Next, let's do this:

Using ESET's Online Scanner


Attach the ESETScan.txt to your next reply as well as logs from MBAM/SAS.
Reply With Quote
  #22  
Old 03-09-10, 05:49
boogieman boogieman is offline
Private First Class
 
Join Date: Mar 2009
Location: Nangiala
Posts: 45
Thanks: 7
Thanked 0 Times in 0 Posts
Exclamation Re: Malware/virus NOT removed + RR hangs

Hi

1. I will do your proposals later today.

2. I think found one thing earlier today.
When I boot I have 2 instances of wmiprvse.exe running for a while.
I looked up all version I have and there were quite a few (see attatched jpg)
WmiPrvse.jpg

I have scanned all the versions I have on www.jotti.org and found that ONE of them reported a backdoor by one scanner. See permalink below
Jotti scan result of wmiprvse.exe in folder 'C:\WINDOWS\$hf_mig$\KB956572\SP3GDR'
When I take properties of the two files in the jpg, they have exactly the same date (manufacturer, version, size and so on) but only on is reported inected, so something is strange.

All the other versions in the jpg reported OK by all scanners .
If you want me to send the infected file, let me know. I guess you are using some kind of "sandbox" but I dont want to spread infections if someone else on the forum should happen to use the file.

Best regards and huge thanks
Boogieman
Reply With Quote
  #23  
Old 03-09-10, 09:02
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 27,154
Thanks: 692
Thanked 3,337 Times in 3,265 Posts
Default Re: Malware/virus NOT removed + RR hangs

Quote:
1. I will do your proposals later today.
Yes please.

Then please do the below:

Please go to start > Run and paste in the following:

Quote:
%systemdrive%\MGTools\zip "%systemdrive%\collect.zip" C:\WINDOWS\example.exe
(enter in full file path of the file just ONE of the scanners reported as a threat instead of example.exe and my file path) - I believe this could just be a false positive anyway with that particular scanner on jotti..

log retrievable @ C:\collect.zip
Reply With Quote
  #24  
Old 03-12-10, 20:33
boogieman boogieman is offline
Private First Class
 
Join Date: Mar 2009
Location: Nangiala
Posts: 45
Thanks: 7
Thanked 0 Times in 0 Posts
Post Re: Malware/virus NOT removed + RR hangs

1. Now the proposed actions are complete and contains below:
- SAS log (made the 10th - the rest today)
- MBAM log (found 2 threats - se point 2 below)
- Eset log (found 7 threats - delted)
- collect.zip
in this zip file Logs 20100313.zip

2. On ESET 7 things were reported, but I have yet not chosen "delete files" on the threats found - should I do that?
Seems like som fake reports like:
* MGtools
* "falcon smitrem" virus removal tool, which was a bit strange.
* SDFix backups

Thanks, awaiting further orders
Reply With Quote
  #25  
Old 03-13-10, 07:37
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 27,154
Thanks: 692
Thanked 3,337 Times in 3,265 Posts
Default Re: Malware/virus NOT removed + RR hangs

Yes what eset found was just false positives.

Also the wmiprvse.exe is not infected either, it's a legit file and only one of the scanners flagged it as bad.

I believe it's time for you to follow final steps soon. What remaining malware problems do you have if any?
Reply With Quote
Sponsored links
  #26  
Old 03-13-10, 09:08
boogieman boogieman is offline
Private First Class
 
Join Date: Mar 2009
Location: Nangiala
Posts: 45
Thanks: 7
Thanked 0 Times in 0 Posts
Default Re: Malware/virus NOT removed + RR hangs

Quote:
Originally Posted by Kestrel13! View Post
Yes what eset found was just false positives.

Also the wmiprvse.exe is not infected either, it's a legit file and only one of the scanners flagged it as bad.

I believe it's time for you to follow final steps soon. What remaining malware problems do you have if any?
Wrote a bit wrong below.
- The threats in MBAM are deleted (dont know if they were fake, since i did not recognize the files)
- In ESET then i should not delete the files? Not the uninstall.exe either from maketorrent dir?

- Yes wmiprvse.exe should be legit. The strange thing was that only 1 of the 3 was flagges as infected by jota.
If all would have been flagged infected I also would have opted for non virus.

Regards
Boogie
Reply With Quote
  #27  
Old 03-13-10, 09:51
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 27,154
Thanks: 692
Thanked 3,337 Times in 3,265 Posts
Default Re: Malware/virus NOT removed + RR hangs

You can just use windows explorer to manually delete the below if you do not need it now
Quote:
C:\Documents and Settings\oh\Desktop\Falcon\Safe\smitRem.exe
C:\Documents and Settings\oh\Desktop\Falcon\Safe\smitRem\Process.exe


If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
  2. If we used Pocket Killbox during your cleanup, do the below
    • Run Pocket Killbox and select File, Cleanup, Delete All Backups
  3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /uninstall
      • Notes: The space between the combofix" and the /uninstall, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  7. Go to add/remove programs and uninstall HijackThis.
  8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
  9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  10. After doing the above, you should work thru the below link:
Reply With Quote
  #28  
Old 03-15-10, 23:49
boogieman boogieman is offline
Private First Class
 
Join Date: Mar 2009
Location: Nangiala
Posts: 45
Thanks: 7
Thanked 0 Times in 0 Posts
Thumbs up Re: Malware/virus NOT removed + RR hangs

Quote:
Originally Posted by Kestrel13! View Post
You can just use windows explorer to manually delete the below if you do not need it now
[/B]
Done

Quote:
If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
  1. SAS - passive (will use as sweeper every now and then)

    Quote:
  2. If we used Pocket Killbox during your cleanup, do the below
    • Run Pocket Killbox and select File, Cleanup, Delete All Backups
  3. N/A

    Quote:
  4. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /uninstall
      • Notes: The space between the combofix" and the /uninstall, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  5. Done, but changed back to see file extensions and hidden files, since I prefer it that way. Guess that is not an issue regarding malware.

    Quote:
  6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  7. - CCleaner - kept it since I like the functionality
    - MBAM - kept it since it seemed like a good "once in a while sweeper"


    Quote:
  8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  9. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  10. N/A

    Quote:
  11. Go to add/remove programs and uninstall HijackThis.
  12. Done + removed the exe and folder as prompted in the uninstall

    Quote:
  13. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
  14. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Done

      Quote:
    • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
    Done

    Quote:
  15. After doing the above, you should work thru the below link:
- Autorun disabled (is there a safe way to look at my USB sticks which might carry infections?)
- Avira - Installed & Active (seemed nice due to rootkit detector)
- Spybot S&D - Immunized + display dialog (shoult I set to load at startup?)
- Spywareblaster - All enabled (Should I set to load at startup as well?)
- Google chrome alternative browser installed

RegardingRootRepeal:
If I remember it right it was not an install - so I can just delete the exe (cant find it in add/remove nore start menu)

Regarding cookie blockers
I cant remember which software that ask for permission when cookies are detected.
But after reading all you files I understand it is unnessecary, so I will try to lurk out which one it was, since it is a bit annoying to allow every cookie

Thanks a very huge bunch for all the support.
I feel like Im loaded over my ears with protection now and I guess that's whats needed with todays cumbersome internet enviroment.
A pity all people are not like you guys on MG.
I have never understood the fun of making viruses just to bother other people and take up so much unnecessary time, but I guess those individuals are people that "are not seen" in the normal community that needs to take such drastic meassures to "shine" (they shine less than a rusty nail IMO).

You guys & girls (must be some fems as well right) on the other hand - glows like diamonds in the rain


Thanks again
Boogie - hopefully virus free - man

Last edited by boogieman; 03-15-10 at 23:59..
Reply With Quote
  #29  
Old 03-15-10, 23:55
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 27,154
Thanks: 692
Thanked 3,337 Times in 3,265 Posts
Default Re: Malware/virus NOT removed + RR hangs

Quote:
- Autorun disabled (is there a safe way to look at my USB sticks which might carry infections?)

For the external Hard Drive and a USB stick.

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Please have all your removable storage devices ready for disinfection.

Download Flash Disinfector by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it.
  • Your desktop and icons may disappear. This is normal.
  • It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
  • Follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • There will be no GUI interface or log file produced.
  • Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Quote:
- Spybot S&D - Immunized + display dialog (shoult I set to load at startup?)
Your choice. I do not personally rate S&D much these days and do not use it.

Quote:
- Spywareblaster - All enabled (Should I set to load at startup as well?)
Your choice, I have it installed but do not have it running at start up.

Quote:
RegardingRootRepeal:
If I remember it right it was not an install - so I can just delete the exe (cant find it in add/remove nore start menu)
Yes, simply delete it's executable, and any logs it made.

Quote:
Thanks a very huge bunch for all the support.
You are very welcome!

Take care.
Kes13!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Malware removed... maybe?! damosand Malware Removal 1 09-21-09 02:42
Removed Malware mpetro1 Malware Removal 4 03-05-09 23:36
Maybe more than the virus was removed??? SandraS Software 12 01-13-09 08:42
virus not removed harris24982 Malware Removal 1 07-30-05 12:08
email virus hangs NAV autoprotect radiot Software 2 03-29-04 21:17


All times are GMT -5. The time now is 08:43.


MajorGeeks.Com Home Page
| Admin Tools | All In One | Anti-Spyware | Anti-Virus | Appearance | Backup | Benchmarking | BIOS | Browsers | Covert Ops |
Data Recovery | Diagnostics | Drive Cleaners | Drive Utilities | Drivers | Driver Tools Ergonomics | Firewalls | Games | Game Tweaks | Graphics | Input Devices | Internet Tools | Macintosh | Mail Utilities | Memory | Messaging | Monitoring | Microsoft | Multimedia | Networking | Office Tools | Process Management | Processor | Registry | Security | System Info | Toys | Video | Miscellaneous
|
Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger