No flash video & Trojans

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Joyfulsong11, Mar 10, 2012.

  1. Joyfulsong11

    Joyfulsong11 Private E-2

    This computer was given to my father with an expired antivirus program (McAfee) and I believe some questionable websites were visited. I have since explained about the viruses and dangers of those websites, and I do not believe they will be an issue in the future.

    The main symptom that tipped me off was that no flash videos would load on legitimate sites (local news clips mostly, but also youtube). I get notices that Adobe Flash needs to be installed and even after installing it is the same result. I installed Comodo Dragon thinking since it's based on Google Chrome and has flash built in it may work better. No luck, in fact it wouldn't load any websites at all, crashing instead. So, I began running scans, turning up multiple trojans. This is when dear ol' dad and I had a talk about his browsing practices. *sigh* Anyway . . . like your policies here, I figured I'd help him get the computer cleaned up once, and see if I can get his local news videos working. I've included the logs. Also, I just tested the video problem again and IE still acts the same with no flash videos, but Comodo Dragon is opperating fine, loading youtube videos, but not foxnews.com videos, so it may be a website issue. I don't know. As long as the viruses are off, and the computer is safe, I'm okay with no solving the video problem at the point. So, any help or observations would be greatly appreciated.

    Also, I'm planning to install a free antivirus on here, as soon as I know it's clean. I was thinking about Avira, since it's pretty popular in your download section here. Something simple, effective, and not too confusing for Dad would be nice, so if anyone has suggestions of a better free antivirus that meets those requirements, I'm open to suggestions there too. Also, I am planning to install Comodo firewall, not the antivirus though. I prefer separate applications. In the past I've used F-Prot for antivirus, but it's not free. :(

    Oh, one last thing, there are multiple Malwarebytes logs. I don't really know why, only thing I can think of is that the scans were interrupted and restarted (possibly to play solitaire) when I was not around. So, hopefully the info is still useful.

    Thank you all for all the time you put into making the internet a safer world !
     

    Attached Files:

  2. Joyfulsong11

    Joyfulsong11 Private E-2

    logs continued
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since McAfee is expired, I suggest that you uninstall it right now. It is still loading some processes.

    Please goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller
    Now please also download MBRCheck to your desktop.


    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also I have a question about the below being loaded from the Start Menu. Do you know if this is legit?


    O4 - Global Startup: run_startmenu.cmd

    Now I notice that McAfee may have been uninstalled but it was not properly uninstalled. So to that end, run the below:

    McAfee Consumer Product Removal Tool


    Also uninstall the below as was instructed in the READ & RUN ME.

    Java 2 Runtime Environment, SE v1.4.2
    Java(TM) 6 Update 20
    Viewpoint Media Player


    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Your logs are looking pretty good. Seems the cleaning process took care of most problems. Let's see what the TDSSkiller and MBRcheck logs show.
     
    Last edited: Mar 11, 2012
  5. Joyfulsong11

    Joyfulsong11 Private E-2

    Thanks for the quick feedback !

    Here are the logs for the scans you requested, and I have no idea what that Global Startup command is so I can't really say what it's for or if it is something that should be there or not. Sorry.

    Oh, and it may be a completely separate problem, but flash is still not loading in Internet Explorer, but seems to be working sometimes in Comodo Dragon.

    Thanks again !
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Click Start, Run and copy and paste below into the Run box and click OK.

    notepad C:\Documents and Settings\All Users\Start Menu\Programs\Startup\run_startmenu.cmd

    Notepad will open up showing the contents of the file. Copy what you see and paste it back here into your next message.

    You can post about this in the Software Forum.

    Your logs are clean but you can fix the below left overs.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

    After clicking Fix, exit HJT.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  7. Joyfulsong11

    Joyfulsong11 Private E-2

    Here are the contents of the file requested.


    @echo off
    c:\windows\i386\apps\startmenu.cmd


    I have no idea what that means, but hopefully you will !

    Thank you so much for all your help, the computer is already running much faster !

    Also, any opinions on permanent anti-virus ? I downloaded Avira but haven't installed it.

    Thank you again !
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that just points to another file. What is in the
    c:\windows\i386\apps\startmenu.cmd file.
     
  9. Joyfulsong11

    Joyfulsong11 Private E-2

    I tried to pull up the file you asked about, and the folder it was located in isn't there. I can get to c:\windows\i386 but there is no "apps" folder and I did check for hidden folders, and still nothing shows up. The only thing I can figure is that the folder may have been removed as part of the cleaning procedure. I'll let you guys figure out the rest !
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then just delete the below file and this startup will be gone.


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\run_startmenu.cmd
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds