Vista machine w/mediaplex

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Bad Panda, May 23, 2008.

  1. Bad Panda

    Bad Panda Private E-2

    I'm working on a computer for someone and ran through all the steps. I still have mediaplex and another that are being reported on Spybot. I'm don't know how to deal with this.
    Here are the logs. Thanks!
     

    Attached Files:

  2. Bad Panda

    Bad Panda Private E-2

    Here is the SAS log.
     

    Attached Files:

  3. Bad Panda

    Bad Panda Private E-2

    Chaslang,
    I received a message from you stating that you were moving these logs to my orginal post. I don't see your post. However, these are 2 different machines, which perhaps you saw and that is why this post is not dead.
    I did not realize that 2 posts were an issue, and I will not post again in this one until the other one is resolved.

    Regards,
    Panda
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes when I saw this I thought it was in response to what I asked you to do in the other thread. Then I realized that it was really another computer. It is not a problem to work multiple PCs (each having a different thread), it is just less confusion for all if you don't work them at the same time since sooner or later someone will get confused. ;)

    I will post a fix (in another message) for this new PC but it would be good if you first complete the other thread 100% (still waiting for the results of the fix that was given) and then continue this one.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It appears that you forgot to accept the license agreement for HijackThis that pops up when running MGtools. Goto C:\MGtools and right click on analyse.exe and select Run As Administrator. Accept the license agreement (you may have to click twice) and then just run a scan. Don't bother saving a log right now. Then just exit HijackThis.

    Also it appears that GetRunKey.bat did not run properly. Did you have any problems or error messages while running MGtools? Was UAC disabled and did you reboot after disabling? Was Spy Sweeper's protection disabled??? It may be causing problems. Is this copy of Spy Sweeper a paid version or free trial. If trial, uninstall it now.

    You also did not put this PC into normal startup mode with MSconfig. You must do this now as requested in step 1 of the READ ME and why woud the user want to break the protect of Avast by not allowing it to startup?


    Uninstall the below software as requested in step 1 of the READ ME:
    Ask Toolbar
    BearShare MediaBar
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Viewpoint Media Player

    Do you know what the below folder and .bat file are for?
    Code:
    2008-04-27 11:17 . 2008-05-21 12:28 <DIR> d--hs---- C:\Users\Owner\!
    2008-04-27 11:17 . 2008-04-27 11:17 433 --a------ C:\Users\Owner\584.bat
    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  6. Bad Panda

    Bad Panda Private E-2

    Regarding the normal startup; it isn't allowing me to put it into normal mode. I enable it, but it goes back to a selective configuration where an item was removed from the startup. The only thing not showing up part of Avast. Any suggestions on how I might correct this?
     
  7. Bad Panda

    Bad Panda Private E-2

    Oh, I did not see any errors on the Getrunkey.bat when it ran.
    I sprained my ankle friday so I won't be getting on this issue...probably until tuesday. Hope that isn't a problem.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not address all of my questions. Like whether UAC was disabled and had you rebooted after disabling. Was Spy Sweeper disabled? Is Spy Sweeper a paid vversion? Also I commented about the license agreement for HijackThis.

    Sorry to hear this. No problem. Just get back to us when you can.
     
  9. Bad Panda

    Bad Panda Private E-2

    Quote: You did not address all of my questions. Like whether UAC was disabled and had you rebooted after disabling. Answer: UAC was disabled and I had rebooted.

    Q: Was Spy Sweeper disabled? A: No.
    Q: Is Spy Sweeper a paid vversion? A: Yes. It is a full, apparantly ineffective, version. :)
    Q: Also I commented about the license agreement for HijackThis. A: I don't remember seeing the license agreement window. More than likely I did not run the program as administrator and didn't see any errors.
    Q: Do you know what the below folder and .bat file are for?
    Code:
    2008-04-27 11:17 . 2008-05-21 12:28 <DIR> d--hs---- C:\Users\Owner\!
    2008-04-27 11:17 . 2008-04-27 11:17 433 --a------ C:\Users\Owner\584.bat
    Answer: The directory c:\users\owner\! holds multiple avi files. This is the batch text
    Echo off
    :A
    Del C:\Users\Owner\services.exe
    If Exist C:\Users\Owner\services.exe Goto A
    :B
    Del C:\Users\Owner\csrss.exe
    If Exist C:\Users\Owner\csrss.exe Goto B
    :C
    Del C:\Users\Owner\smss.exe
    If Exist C:\Users\Owner\smss.exe Goto C
    :D
    Del C:\Users\Owner\svchost.exe
    If Exist C:\Users\Owner\svchost.exe Goto D
    :E
    Del C:\Users\Owner\winlogon.exe
    If Exist C:\Users\Owner\winlogon.exe Goto E
    Del C:\Users\Owner\584.bat


    Considering that I am unable to get it into normal startup mode, what should my next steps be? As you mentioned in your post, Avast is not starting up with all options enabled. This is not by my choice. Should I follow your steps that started with running Combofix?
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Spy Sweeper can and will get in the way of malware removal steps. Can you uninstall this for now? Will it let you uninstall it in safe mode? If you can, uninstall in safe mode, see if you can uninstall the 5 other items I requested a few messages back.

    You must follow the instructions. When you run MGtools (or GetLogs.bat from MGtools) or analyse.exe (which is HijackThis.exe) you must right click and select run as administrator.

    Okay but who put them there. Do they belong to the owner?

    Looks like someone was trying to use a batch file to constantly loop on fixing some malware files. Do you know who? Delete this batch file as it is not needed.


    I need to know more about this issue. When you set it to normal startup are you saying it immediately goes right back to selective startup or are you saying it reverts when you do the reboot? Please post the contents of the C:\boot.ini file here. This is a hidden file. It could have a /SAFEBOOT in it which is stuck and forcing you back to safe boot mode.
     
  11. Bad Panda

    Bad Panda Private E-2

    Spysweeper and all 5 programs have been uninstalled. I have not installed the updated version of Java yet, but has MGTools has been ran as Admin. AVI files have been deleted; the owner believes her brother put them on. The owner had no idea what a batch file was or how it got on the system. It has been deleted.
    Here is something odd. I only see a file boot.ini.saved. boot.ini is not to be found (yes, hidden files are shown.) The text of the .saved file reads:

    ;Warning: Boot.ini is used on Windows XP and earlier operating systems.
    ;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
    ;
    [boot loader]
    timeout=0
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /NOEXECUTE=OPTIN /FASTDETECT

    Normal startup question: your description of the symptom is correct. When I set it to normal startup, it returns to selective.
    I'll run CF from earlier step and post requested logs & put Java on while waiting for any reply. Thanks for everything!!!
    - - - - -
     
  12. Bad Panda

    Bad Panda Private E-2

    I ran this and thought you might want the updated version... I'll stop messing around with this until I hear from you.
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes I forgot for the moment that this was Vista which does not have boot.ini.

    Are you sure you are in safe boot mode??? Your last MGlogs.zip file shows you were in normal boot mode. This is seen in the hijackthis.log file inside of the ZIP file. It showed this
    In MSconfig, if you select the Boot tab, what options are checked on the page. Look at all options and report back on them. Did someone check the option to make all boot options permanent? If yes, uncheck it. Also if the /SAFEBOOT box is checked, uncheck it.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O24 - Desktop Component 0: (no name) - http://www.google.com/images/x2.gif
    O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
    O24 - Desktop Component 2: (no name) - http://video.google.com/url?vidurl=...c=gvpl&usg=AL29H209v-GjwvhJA1MQMl9-Gwb3oIbqjw

    After clicking Fix, exit HJT.

    Now reboot!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  14. Bad Panda

    Bad Panda Private E-2

    I'm going to reply regarding the startup first, then run the MGT and post the logs in a seperate post.
    When I started the system, the window showing that "MSCONFIG has been used to alter startup options...blah, blah" came up. I ran msconfig and it shows the following:
    Selective Startup with LOAD SYSTEM SERVICES checked and LOAD STARTUP OPTIONS blocked.
    Boot tab - nothing checked.
    Under the SERVICES tab, all are checked.
    Under the STARTUP tab, all are checked with the exception of Avast Antivirus. I think something is preventing it from starting. Perhaps it is the McAfee that shows on startup but mentions something about compatibility with Vista? Even though the program never actually launches, maybe it recognizes Avast as a competing AV for resources and disables it?
    If I uninstalled Avast, I bet that would eliminate the Normal Startup problem. I can always reinstall it.
    I will run what you requested and post the logs immediately.
    Regards,
    Panda
     
  15. Bad Panda

    Bad Panda Private E-2

    Here are the logs:
    As far as improvement, the computer is better but not performing as it should. Of course, it is Vista, so you never know what is going to cause it to freeze up.
    Oh, that start up program from McAffee I mentioned was Spamkiller, and should have nothing to do with affecting Avast.
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are going to have to be alot more specific. What are you comparing it too? And exactly what are the problems you are experiencing.

    I suggest that you uninstall SUPERAntiSpyware now since we don't need it anymore. You don't have any malware.

    Also uninstall Avast antivirus now. Then reboot. After reboot, do the below.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now reinstall Avast.

    Now please download and use the current version of MGtools and attach a new log. It gives us some additional info that may be helpful.
     
  17. Bad Panda

    Bad Panda Private E-2

    My complaint about Vista performance on this machine is most likely caused by the hardware/operating system, not necessarily by any malicious software.
    Registry edit went flawlessly.
    With Avast removed I was still not able to put into NORMAL startup mode. I installed AVG instead of AVAST to see if there was a difference; there isn't.
    Included is the log.
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I really did not want you to install anything else at this time. I wanted to see if any applications are getting in the way. Installing AVG just complicates things. Please uninstall AVG if still installed and then get a new MGlogs.zip file and attach it. You forgot it last time anyway but I want one with no antivirus applications installed.
     
  19. Bad Panda

    Bad Panda Private E-2

    That's the 3rd time I've uploaded the log and it hasn't gone through. It did show in the post when I sent it...bizarro.
    Anyway, NORMAL mode is functioning now. Here are the updated logs (hopefully.)
     

    Attached Files:

  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so now that you can boot in normal mode are you having any real malware issues?

    If not then reinstall your antivirus program and then continue on with the below.

    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\cf folder from combofix.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    9. Go to add/remove programs and uninstall HijackThis.
    10. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    11. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    12. After doing the above, you should work thru the below link:
     
  21. Bad Panda

    Bad Panda Private E-2

    Everything is working normally and Vista is as happy as it can be. Again thank you for all your time and hard work Chaslang.
    If you don't mind me asking, when you review the logs and are looking at registry entries, how do you know which registry entries to remove? Programs I can understand (internet) but registry entries are pretty specific, and there are a lot of them to review. Just curious...if it is a trade secret, it's cool.
    Thanks again!!!!
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Just lot's of experience with each Windows Operating System. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds