rootkit.0access and other malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by deeps, Oct 22, 2011.

  1. deeps

    deeps Private E-2

    I've been dealing with zero access rootkit and other malware for a week now..

    Can't run most programs, or get online and can't seem to access ip configuration address. Any help would be greatly appreciated.

    Ran malware, super antivirus and combo fix...results below.
     

    Attached Files:

  2. thisisu

    thisisu Malware Consultant

  3. deeps

    deeps Private E-2

    Yes, i have done the read and run me malware removal...followed the steps.

    Here is the tdsskiller log...thanks again.
     

    Attached Files:

  4. thisisu

    thisisu Malware Consultant

    You made no mention of MGlogs.zip. Please attach that file if you were able to run MGtools.exe

    Also attach the log from running DeFogger.

    Then complete the following:

    [​IMG]Please download OTL by Old Timer to your desktop.
    • See the download links under this icon: [​IMG]
    • Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
    • When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
    • Select Scan All Users.
    • Check the boxes beside LOP Check and Purity Check.
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      netsvcs
      %systemdrive%\*.exe
      /md5start
      afd.sys
      atapi.sys
      csrss.exe
      explorer.exe
      ipnat.sys
      ipsec.sys
      regedit.exe
      services.exe
      svchost.exe
      tcpip.sys
      userinit.exe
      winlogon.exe
      /md5stop
      %systemroot%\*. /mp /s
      %windir%\assembly\GAC\*.ini
      %windir%\assembly\GAC_MSIL\*.ini
      %windir%\assembly\gac_32\*.ini
      %windir%\assembly\gac_64\*.ini
      %windir%\assembly\temp\*.ini
      %windir%\assembly\tmp\u /s
      %allusersprofile%\application data\*.exe
      %systemdrive%\MGtools\
      %systemdrive%\
      %userprofile%\desktop\
      hklm\software\microsoft\windows\currentversion\run|exe /rs
      hklm\software\microsoft\windows\currentversion\runonce|exe /rs
      
    • Now click the [​IMG] button.
    • When the scan is complete, Notepad will open with the results of the OTL scan.
    • Close Notepad.
    • There will be two log files on your desktop entitled OTL.txt and Extras.txt.
    • Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)
     
  5. deeps

    deeps Private E-2

    Apologize for the missing files...thanks again for all the help.
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

    [​IMG] From Add/Remove Programs (via Control Panel), please uninstall the below:
    • J2SE Runtime Environment 5.0 Update 6
    • Java(TM) 6 Update 18
    • Java(TM) 6 Update 2
    • Java(TM) 6 Update 3
    • Java(TM) 6 Update 5
    • Java(TM) 6 Update 7

    [​IMG] Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.
    • See the download links under this icon: [​IMG]
    • Double-click MessengerDisable.exe
    • Place a check-mark in Uninstall Windows Messenger
    • Click Apply
    • Click Exit

    [​IMG]Now we need to make use of OTL by Old Timer.
    • Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
    • When OTL opens, copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      [COLOR="DarkRed"]:processes[/COLOR]
      killallprocesses
      [COLOR="DarkRed"]:otl[/COLOR]
      FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
      O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
      O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
      O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
      O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
      O29 - HKLM SecurityProviders - (digeste.dll) - File not found
      O33 - MountPoints2\{e1412540-3cbe-11df-814a-001676bc312a}\Shell - "" = AutoRun
      O33 - MountPoints2\{e1412540-3cbe-11df-814a-001676bc312a}\Shell\AutoRun - "" = Auto&Play
      O33 - MountPoints2\{e1412540-3cbe-11df-814a-001676bc312a}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
      O33 - MountPoints2\{e1412541-3cbe-11df-814a-001676bc312a}\Shell\AutoRun\command - "" = setupSNK.exe
      [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      [2011/10/09 11:08:53 | 000,000,000 | ---- | M] () -- C:\WINDOWS\2329406891
      [2011/10/08 10:19:49 | 000,662,349 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavifw.avm
      [2011/10/09 10:53:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
      [2010/10/15 07:59:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
      [2007/12/12 23:58:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
      [2009/04/01 10:18:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
      [2010/04/20 08:18:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
      [2009/09/17 09:08:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
      [2009/04/18 16:49:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
      [2011/09/23 08:13:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\AVG2012
      [C:\WINDOWS\$NtUninstallKB33688$] -> Error: Cannot create file handle -> Unknown point type
      @Alternate Data Stream - 151 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
      [COLOR="DarkRed"]:services [/COLOR]
      abedd78a
      [COLOR="DarkRed"]:files[/COLOR]
      C:\$AVG
      C:\WINDOWS\$NtUninstallKB33688$ /d
      C:\WINDOWS\system32\drivers\ipsec.sys|C:\WINDOWS\system32\dllcache\ipsec.sys /replace
      ipconfig /flushdns /c
      netsh int ip reset resetlog.txt /c
      netsh winsock reset /c
      [COLOR="DarkRed"]:reg[/COLOR]
      [COLOR="DarkRed"]:commands[/COLOR]
      [purity]
      [emptyjava]
      [emptytemp]
      [emptyflash]
      [resethosts]
      
    • Now click the [​IMG] button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • Click the OK button.
    • When complete, Notepad will open.
    • Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (How to attach items to your post)

    [​IMG] Now install the current version of Sun Java from: Sun Java Runtime Environment

    Put your computer back into Normal Startup Mode and reboot before proceeding to the next step >> Use MSconfig to setup for Normal Startup Mode


    [​IMG] Now open OTL again and click the [​IMG] button
    Note: This automatically updates the OTL.txt log on your desktop.
    Attach OTL.txt to your next message. (How to attach items to your post


    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
    Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
    Notes:
    • This will automatically update all the logs inside MGlogs.zip
    • Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

    LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS
     
    Last edited: Oct 24, 2011
  7. deeps

    deeps Private E-2

    Attached the OTL run fix and scans but can't access C:\MGtools\GetLogs.bat

    Getting an error stating 'Windows cannot find 'C:\MGtools\GetLogs.Bat'. Make sure you typed the name correctly, and then try again.'

    Still can't access the internet.
     

    Attached Files:

  8. thisisu

    thisisu Malware Consultant

    I need you to open this folder using Windows Explorer: C:\MGtools
    Inside you will see a bunch of files, look for the one named GetLogs.bat
    Then double-click GetLogs.bat. Let this run unhindered.

    Afterwards, attach the MGlogs.zip file -- It's at C:\MGlogs.zip
     
  9. deeps

    deeps Private E-2

    I understand, i tried that, when i double click the file GetLogs.Bat in the MGTools folder, that's the error prompt i get.
     
  10. thisisu

    thisisu Malware Consultant

    Please download Tweaking.com - Windows Repair by Tweaking.com to your desktop.
    • See the download links under this icon: [​IMG]
    • Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
    • Now open this folder and double-click Repair_Windows.exe.
    • Click the Start Repairs tab on the far right.
    • Click Custom Mode so there is a bullet in it.
    • Click the Start button (bottom right)
      Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
    • Click Unselect All
    • Put a checkmark in the following items:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Remove Policies Set By Infections
      • Repair Winsock and DNS Cache
      Note: Leave everything else unchecked
    • Put a checkmark in Restart System When Finished
    • Now click the Start button (bottom right)
    • Let this run unhindered, then reboot afterwards.

    [​IMG] Now we need to make use of ComboFix by sUBs
    • Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
      • If it is not on your desktop, the below will not work.
    • Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    • Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]DirLook::[/COLOR]
    c:\mgtools
    [COLOR="DarkRed"]FileLook::[/COLOR]
    c:\mgtools\getlogs.bat
    c:\mgtools.exe
    C:\WINDOWS\system32\drivers\ipsec.sys
    C:\WINDOWS\system32\dllcache\ipsec.sys
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\WINDOWS\$NtUninstallKB33688$
    
    • Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
    • At this point, you must exit all browsers now before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
    • Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
      [​IMG]
    • This shall launch ComboFix.
      Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    • Allow ComboFix to update itself if prompted.
    • When it finishes, a log will be produced at C:\ComboFix.txt
      Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
    • Attach this log to your next message. (How to attach items to your post)

    Please download SystemLook by jpshortstuff to your desktop.
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :reg
      ipsec
      regfind:
      *ipsec*
      :filefind
      ipsec.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
      Note: The log be found on your desktop entitled SystemLook.txt
     
  11. deeps

    deeps Private E-2

    Ran tweaking window repair unhindered even though a prompt box kept telling me 'execute processes remotely has encountered a problem and needs to close.'
    ...rebooted after program finished.

    Dragged CF Script file into combofix and froze up on last command Output folder C:\32788R22FWJFW

    Rebooted manually in safe mode w/ networking.
     
  12. thisisu

    thisisu Malware Consultant

    What do you mean here?

    I am not familiar with the error message you are saying you received. Can you take a screenshot?

    Are you unable to boot into Normal Mode now?

    You can try the same steps from Safe Mode with Networking if you need to.
     
  13. deeps

    deeps Private E-2

    I can still boot up in normal mode but opted to run it in safe mode w/ networking...tried running windows repair again in safe mode, but same prompt box kept appearing.
     

    Attached Files:

  14. thisisu

    thisisu Malware Consultant

    Looks like a bug with the Windows Repair program.

    Let's try the some of the same fixes another way.

    Now download exeHelper by Raktor.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file named exeHelperlog.txt will be created in the directory where you ran exeHelper.com
    • Attach the exeHelperlog.txt file to your next message. (How to attach items to your post)
      Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    [​IMG] Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!
    • Now press and hold the [​IMG] Windows key on your keyboard, then press the letter r on your keyboard.
    • This opens the Run dialog box.
    • Then copy the below bold text and paste it into the Open: text-field and press ENTER.
      C:\win32kdiag.exe -f -r
    • When it's finished, there will be a log called Win32kDiag.txt on your desktop.
    • Attach this log to your next message. (How to attach items to your post)



    Download Junction by Mark Russinovich to your desktop.
    • Extract junction.exe to your desktop.
    • Now press and hold the [​IMG] Windows key on your keyboard, then press the letter r on your keyboard.
    • This opens the Run dialog box.
    • Then copy the below bold text and paste it into the Open: text-field and press ENTER.
      cmd /c %userprofile%\desktop\junction -s c:\ >%userprofile%\desktop\junction.txt
    • When it's finished, there will be a log called junction.txt on your desktop.
    • Attach this log to your next message. (How to attach items to your post)

    After junction, try the CFScript and SystemLook directions again.

    [​IMG] Please download Microsoft Fix it 50199 to your desktop.
    • Double-click it to run.
    • Reboot when asked to.
     
  15. deeps

    deeps Private E-2

    the exe.helper DL came up as a trojan threat and was quarantined by AVG
     
  16. thisisu

    thisisu Malware Consultant

    Did you install AVG or any other AntiVirus recently?
     
  17. deeps

    deeps Private E-2

    No, i'm Dling all the files through a separate laptop and using thumb drive to my infected desktop.
     
  18. thisisu

    thisisu Malware Consultant

    Ok, proceed to the next steps.

    Run the Microsoft FixIt tool from Normal Mode whenever you get to that step
     
  19. deeps

    deeps Private E-2

    So just bypass the exehelper command?
     
  20. thisisu

    thisisu Malware Consultant

    Yes.
     
  21. deeps

    deeps Private E-2

    After i extract the junctionzip to my desktop, should i run junction.exe from the desktop?

    ..if i don't..i get an error stating Windows cannot find 'cmd'
     
  22. thisisu

    thisisu Malware Consultant

    No.

    Just skip to the FixIt step. We'll see what's wrong with cmd.exe later.
     
  23. deeps

    deeps Private E-2

    Attached win32k txt file after rebooting.
     

    Attached Files:

  24. thisisu

    thisisu Malware Consultant

    That log looks good.

    Retry running SystemLook and ComboFix using the CFScript.txt as I explained here

    Try both regardless of any errors you receive. Just make note of the error but attempt both scans/fixes.

    Also, if you go to Start (Start menu button), and click Run. In the text-field here, if you type in the below bolded text, and then press the ENTER key, what happens?
    cmd
     
    Last edited: Oct 26, 2011
  25. deeps

    deeps Private E-2

    SystemLook scanned without any issues...still experiencing same problem running combofix in safe or normal mode...attached a pic where the programs hangs up.

    Can't run cmd either, prompt box stating 'windows cannot find 'cmd'
     

    Attached Files:

  26. thisisu

    thisisu Malware Consultant

    I see what happened now.

    OTL moved it. Look inside this folder:

    C:\_OTL\MovedFiles\10252011_184007\c_windows\system32

    until you see cmd.exe

    Now copy paste cmd.exe into the below folder:
    C:\Windows\system32

    Let me know when you have completed this.
     
    Last edited: Oct 26, 2011
  27. deeps

    deeps Private E-2

    Moved cmd.exe file to windows\system32.
     
  28. thisisu

    thisisu Malware Consultant

    Ok, now retry the steps I outlined here for Windows Repair

    And then retry running c:\MGtools\GetLogs.bat

    Attach the new MGlogs.zip when finished.
     
  29. deeps

    deeps Private E-2

    Kept getting that error message box while running tweaking..'execute processes remotely has encountered a problem and needs to close.'
    Let is completely run through, rebooted, combofix got that past that previous stall stage...then got 'windows recovery console' message..(attached pic)
    Don't have internet connection on desktop so didn't attempt to click yes or no.
     

    Attached Files:

  30. thisisu

    thisisu Malware Consultant

    ComboFix isn't "stalling" like you say. You are being asked a question by it. You can press No and it should continue scanning just like it did when you first ran ComboFix.

    Remember what I typed before about GetLogs.bat? I want you to try to run this (GetLogs.bat) now.
     
  31. deeps

    deeps Private E-2

    Auto scan wouldn't scan past the screenshot i attached for the better part of 30+ minutes...
    Successfully ran GetLogs.bat..attached below.

    Thanks again for all the help.
     

    Attached Files:

  32. thisisu

    thisisu Malware Consultant

    Well done [​IMG]

    The actual rootkit itself appears to be gone according to these logs. Now it's just a matter of correcting the damage to the OS it caused.

    We'll start off by trying to repair your Internet connection.

    Try the below first:

    [​IMG] Please download Microsoft Fix it 50199 to your desktop.
    • Double-click it to run.
    • Reboot when asked to.

    If that does not work and/or your Internet connection is still not working...
    Read and try to follow this: Reinstall TCP/IP on Windows XP
     
  33. deeps

    deeps Private E-2

    microsoftfix showed an error upon installing, will attempt manual reinstall tcp/ip settings.
     
  34. deeps

    deeps Private E-2

    nettcpip.inf file suggested under c:\windows\nettcpip.inf is located in c:\i386 folder on my desktop. Should i just follow through or move current folder to c:\windows?
     
  35. thisisu

    thisisu Malware Consultant

    Screenshot please. Are you saying the nettcpip.inf file is NOT in the c:\Windows directory? Check again.
     
  36. deeps

    deeps Private E-2

    Checked twice, it's located in c:\i386 folder...attached pic below.
     

    Attached Files:

  37. thisisu

    thisisu Malware Consultant

    That is probably a backup copy, let's see if there are any others on the OS.

    Please download SystemLook by jpshortstuff to your desktop.
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      nettcpip.inf
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
      Note: The log be found on your desktop entitled SystemLook.txt
     
  38. deeps

    deeps Private E-2

    Seems to be in c:\windows\inf folder.
     

    Attached Files:

  39. thisisu

    thisisu Malware Consultant

    Yep that is the intended one you need to modify.

    C:\WINDOWS\inf\nettcpip.inf
     
  40. deeps

    deeps Private E-2

    have internet connection!

    Run any further programs or scans?

    Thank you again.
     
  41. thisisu

    thisisu Malware Consultant

    Good job [​IMG]

    Are you having any other issues?
     
  42. deeps

    deeps Private E-2

    Seems to be running fine, did a full scan of superantispyware, one threat detected through adaware, i removed it...attached it below.
    Let me know if you need/want any other logs to attach.

    Really appreciate your patience and help.
     

    Attached Files:

  43. thisisu

    thisisu Malware Consultant

    Glad to hear it.

    There were some .bat files created, I think they were created by the Windows Repair program, but let's remove them just in case they are malware related. Run the below:

    [​IMG]Now we need to make use of OTL by Old Timer.
    • Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
    • When OTL opens, copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      [COLOR="DarkRed"]:commands[/COLOR]
      [clearallrestorepoints]
      [emptyjava]
      [emptytemp]
      [emptyflash]
      
    • Now click the [​IMG] button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • Click the OK button.
    • When complete, Notepad will open.
    • Close Notepad.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. After doing the above, you should work thru the below link:
      How to Protect yourself from malware!
     
  44. deeps

    deeps Private E-2

    Ran OTL, no issues, cleaned up mgtools, enabled defogger...only hiccup was as i was uninstalling Combofix...2 threats popped up almost immediately..attached pic.
     

    Attached Files:

    • avg.JPG
      avg.JPG
      File size:
      67.7 KB
      Views:
      4
  45. thisisu

    thisisu Malware Consultant

    This is AVG telling you that certain files which belong to ComboFix are bad. They are false-positives. This is why we ask that you completely uninstall AVG and/or disabling your AntiVirus before even attempting to run ComboFix.

    This is explained here under the combofix.exe section.

    The files you attached are a part of ComboFix itself (its self-extraction process).

    Nothing to worry about :)
     
  46. deeps

    deeps Private E-2

    Whoops...pardon my ignorance then. ;)

    Thank you again for all your time and help...very much appreciated.
     
  47. thisisu

    thisisu Malware Consultant

    You're welcome. Surf safely.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds