Need Help, HKLM

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by karlabartle, Dec 8, 2007.

  1. karlabartle

    karlabartle Private E-2

    Hi, I hope you can help me, I have been through the steps in "READ AND RUN ME FIRST" except combofix as I was unable to get this to work.

    I noticed a problem yesterday whem my windows messenger popped up with a fake message from my son, who I know was not logged in at the time as he was in the same room, the message was asking me to "check out these pictures" and of course transfer files. As I knew this was not my son, I realised I had problems, I didnt attempt to transfer the files, instead I closed windows messenger and uninstalled it. I then ran my mcafee scan and noticed in the scan details (where it shows you thew file currently being scanned) HKLM/SOFTWARE/etc/etc (couldnt catch it all as it was too fast), however when the scan was finished mcafee told me no problems were found and my computer was protected. I scanned using windows defender where I also saw the HKLM/SOFTWARE in the scan details but again was told no problems were found.
    I searched HKLM/SOFTWARE up on google and was linked to a thread on here explaining similar problems and in turn to the "stickys" on the subject.

    As I am not too good with this type of thing I am unsure as to whether I have resolved the problem by following the steps outlined in "Vista cleanup procedure". I would be very grateful If you would take a look at my logs and offer any help if needed.

    Also advice on the best software to protect my laptop in the future as mcafee and windows defender didnt seem to do a good job.
     

    Attached Files:

  2. karlabartle

    karlabartle Private E-2

    And the HiJackThis Log.....


    Thanks in advance for any help or guidance given.
     

    Attached Files:

  3. karlabartle

    karlabartle Private E-2

    I have just ran the windows defender scan again - HKLM and HKCU files were still showing in the scan details but again I was told no unwanted or harnful programs were found.
     
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download this file to your desktop - Combofix.exe
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log for you. Attach this log to your next reply

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and the COmboFix log.

    Try to capture or tell me the reg. keys that are being reported.
     
  5. karlabartle

    karlabartle Private E-2

    Thankyou for your reply.

    I have done as you requested - this time combofix worked.

    When I ran MGlogs.analyse.exe, many files like the three you instructed me to check and fix showed up, I only checked the ones you told me to.
    However, my browser was still open when i did this, i had accidentally clicked minimise rather than close - is this really bad?? I didnt notice until afterwards.

    My combofix and MGlogs are attached.
     

    Attached Files:

  6. karlabartle

    karlabartle Private E-2

    Here is the HJT log file too, where the HKLM files show up.
     

    Attached Files:

  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs look clean.

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.

    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
  8. karlabartle

    karlabartle Private E-2

    Thankyou very much TimW,

    Your help has been much appreciated.
     
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You're very welcome ...safe surfing. :)
     
  10. karlabartle

    karlabartle Private E-2

    It appears that something is still not right - I don't understand what is happening, none of my anti virus or anti spyware programs are finding anything yet, having reinstalled windows messenger, I am again getting messages that appear to be coming from my son asking me to transfer files - the message says "here are my private pictures" with a file transfer request.

    Can you shed any light on this at all??
     
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  12. karlabartle

    karlabartle Private E-2

    OK, will do. I must admit there only seems to be a problem when I am signed into the messenger - I had no idea it was a security risk, though I should've known with Windows' reputation! Thanks again TimW.

    Do you mind me asking what your views on ubuntu linux are if you have any at all? I have been reading up on it a lot because of the reported benefits in security compared to using windows as your OS. It all looks a tad confusing though and im not sure whether to try it.
     
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It will be a difficult operating system for the novice user ....you can get answers to your questions from some of our regular linux users here Linux.
    :)
     
  14. karlabartle

    karlabartle Private E-2

    Things now seem ok without windows messsenger.

    Thankyou very much for all your help and advice over the last few days!
     
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are welcome .....(remove it from all your computers!) ...safe surfing!! :)
    And you might want to run our procedures on your son's computer.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds