Quick Question...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Pho-tog, Oct 24, 2005.

Thread Status:
Not open for further replies.
  1. Pho-tog

    Pho-tog Private E-2

    Don't worry, I'm following the rules in the READ ME FIRST thread! Just have a quick question about it so I can make sure I do everything right... Do I disable the system restore BEFORE running all the virus checks, spyware checks and all that?? If so, why is that? Thanks in advance for any answers! Also, once I've done all of that and am ready to post my question, should I just continue with this thread or start a new one?
     
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Disabling System Restore should be done first, before any interventions. Not disabling system restore could keep infections on your machine, not only that in some cases will bring them back if they are stored in the backup folder.

    After you complete all of the steps in the READ ME please post in here.
     
  3. Pho-tog

    Pho-tog Private E-2

    Thank you. I have to start over. Didn't realize that the viruses and such could be saved like that. I asked because I did read something about it somewhere and just can't find it again. Thanks again! Starting over...
     
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    10-04, will be awaiting results.
     
  5. Pho-tog

    Pho-tog Private E-2

    Ok, I got tired last night with all the reading so I ended up going to bed. And now I'm able to go thru all of the steps in the proper order to get this done. However, I just want to be clear... After disabling system restore, enabling viewing of hidden files, getting the downloading tools... 1. I'm computer illiterate (not completely, but I'm far from being computer savvy), should I download the Hijack This! and run that, too? I thought that I read somewhere that it is more for computer savvy people.. Just wanna make sure I do this right. I don't want this thing on my computer anymore! and 2. After doing all of that, it says to run 2 of the 4 online virus and trojan scanning programs. Do I do that in safe mode? Or run those and THEN go into safe mode and start the other scans? I'm really sorry! I'm honestly not trying to be a PITA. I'm just trying to make sure that I follow all directions to the T so I can get this done correctly. Oh, and if I have to run those online virus and trojan scanning programs in safe mode, my internet will work to do that, right? Or is there something else that I have to do? OY!! Technology! I'll be happy when this is done and over with. Many thanks in advance for all the help past and future!
     
  6. Pho-tog

    Pho-tog Private E-2

    Ok, I actually found the answer to my question about safe mode. Do all of that and then go into safe mode BEFORE going to Step 6 (the malware cleaning). Still unsure about Hijack This! but I think I'll download it and see what I can do with it.
     
  7. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

  8. Pho-tog

    Pho-tog Private E-2

    Thank you much! Got all my info written down (written rather than printed-not verbatim-so I've processed the info in my head before actually doing it) and I'm ready to start. I'll post my results as soon as I'm done.
     
  9. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

  10. Pho-tog

    Pho-tog Private E-2

    Ok, all done. My apologies in advance if I'm too verbose with my results. I just want to make sure that I've been thourough... I know most people (that I've seen so far anyway) usually just state that they've done what's in the sticky, but I'm going to tell step by step what I did...

    1. System Restore turned off
    2. Enabled viewing of hidden files
    3. Ran Trend Micro... results showed no viruses (61415 scanned 0 infections)
    4. Ran Trojan Scan
    C:|Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (showed twice in a row)
    C:\WINDOWS\Downloaded Program Files\popcaploader.dll
    C:\WINDOWS\Downloaded Program Files\RCX1D.tmp
    4 Malwares detected- did not have fixed as it is not a free program to do so.
    5. Changed MSCongfig to normal mode and restarted
    6. Ran Hijack This! log will be posted as hijackthisbefore.log
    7. Rebooted into Safe Mode
    8. Ran CCleaner
    9. Ran AdAware SE- full system scan

    results... 10 running processes, 391 process modules, 6 (critical) objects recognized.. 1 Registry Value identified, 5 files identified, then had a yellow triangle with an ! in it saying 3 negligible objects (listed MRU list- 3 total, WhenU- 1 total and Tracking Cookie- 5 total, 9 objects total will be removed)
    10. Ran SpyBot- Search and Destroy
    180Solutions.SearchAssistant
    MyWay.MyWebSearch
    said 2 problems fixed
    11. Ran Microsoft AntiSpyware- chose full system scan as opposed to intelligent quick scan
    Items detected 1
    Memory processes scanned 401
    detected 0
    Files scanned 19008
    infected 0
    Registry keys scanned 9340
    detected 31

    Found Virtumondo
    Scan completed, items removed

    Rebooted, then restarted accidentally when I meant to re-enable system restore and selective start up

    Rebooted again after selective start up

    Re-enabled System Restore
    Re-hid files and folders

    Ran another Hijack This! stored as hijackthisafter.log
     

    Attached Files:

  11. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please look in Add or Remove Programs for the following and Uninstall them if found:

    Microsoft AntiSpyware

    MyWay or MyWay Search Assistant

    WeatherBug


    Now scan with HijackThis and Check the Boxes for the following:

    Make sure All Browser Windows are Closed when you Click FIX.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll

    O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
    O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\mljjk.dll
    O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
    O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm824YYUS

    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab

    O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll

    Again, make sure All Browser Windows are Closed when you Click FIX.

    NOW:
    Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

    C:\Program Files\MyWaySA ←–– Delete this whole folder if it exist!

    C:\Program Files\MyWebSearchWB ←–– Delete this whole folder if it exist!

    C:\Program Files\AWS ←–– Delete this whole folder if it exist!

    C:\WINDOWS\system32\mljjk.dll

    NEXT:
    Run CCleaner to clean up cookies and temp files.

    Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
    Note: Remember to get all updates before doing the scans.


    Reboot to Normal Windows , Scan with HijackThis and attach the new log.
     
  12. Pho-tog

    Pho-tog Private E-2

    Okies. I am going to have to print that out, though, so as not to delete the wrong things. Does all of that look like that Winfixer/Virtumondo is at least gone? I hope so! And I will definately do what you said to do to get rid of the rest of the crap! Thank you sooooo much!!!
     
  13. Pho-tog

    Pho-tog Private E-2

    2nd attempt at typing this out... My computer froze up completely the 1st time.

    Ok, I did what you said.

    1. Removed MyWay Search Assistant, Weatherbug Browser Bar, Weatherbug, Microsoft Anti Spyware
    2. Rebooted
    3. Enabled file viewing
    4. Ran HijackThis!, checked the boxes that WERE there... some weren't.. the 1st R1, R3, 1st O2 and last O2 were NOT there. The 2nd O9 was slightly different from what you put, but same premise. Posting that log, too, so you can see what I mean. hijackthis3rd.log
    5. Rebooted in safe mode
    6. Ran CCleaner
    7. Ran AdAware SE, triangle ! 2 negligible objects, 2 objects removed
    8. Ran SpyBot Search and Destroy
    9. Rebooted into normal mode
    10. Ran HijackThis! hijackthis.log Looks like something that you told me to check and fix was still there.
    11. Enabled file viewing
     
    Last edited by a moderator: Oct 29, 2005
  14. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please attach a fresh HJT log, attaching two confuses me because I dont know which one is which.
     
  15. Pho-tog

    Pho-tog Private E-2

    Ooops, I'm sorry. Here's the one that I should have just posted in the first place. Sorry!
     
  16. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    You didnt attach anything? :p
     
  17. Pho-tog

    Pho-tog Private E-2


    OY!! I thought I did! Grrrr. I'm losing it, I think. lol I'll really attach it this time! lol Ahh... it says I've attached it already.... I have to delete it and then upload it here.
     
  18. Pho-tog

    Pho-tog Private E-2

    Ok... I can't go back and edit that post to delete it. So... I just renamed the log. :) Hopefully that works. That's not going to work, either. I'm pretty difficult, huh? The one that you're looking for is hijackthis.log in that post where I posted both.
     
  19. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Try it again, if it still doesnt work save another one from HJT.
     
  20. Pho-tog

    Pho-tog Private E-2

    Looks like I have that Winfixer crap again. Grr... I'll just redo everything and then I'll have a fresh HJT log for ya. Where does that crap come from?? What sites will put that on my computer?? Grrrr... I'm gonna just throw this thing and be done with it all! lol Just kidding... I'll fix it and post another log.
     
  21. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Will be awaiting new log!
     
  22. Pho-tog

    Pho-tog Private E-2


    You are too patient. :) Thank you. :)
     
  23. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your Welcome!
     
Thread Status:
Not open for further replies.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds