Malaware Alarm

Hello,
I just got a Malaware Alarm message. I downloaded it but didn't run it
Does that mean I am infected? I've done a Norton scan but it didn't find anything but a tracking cookie...
Thanks for your help
J

 

Was it a pop from a browser? If so, it's normal to see those every once and a while.

If you feel you infected with some type of adware or spyware feel free to run our standard cleaning instructions.

 

Hello,
I've done the Malaware Removal Guide and here are my logs and some of the things I've encountered. This is a new computer and am not yet used to VISTA so I apologize if I haven't done or understood things properly:

- I have a new desktop icon that has popped up: "desktop.ini". Is that normal?
- I ran Spybot in Safemode and it didn't find any immediate threat. However, I wasn't sure what you meant by "SDHelper"?
- Notepad window didn't pop up when I double clicked on getrunkey.bat and now I have no .text file to add?
- I had already done a Counterspy scan (not in safe mode) and deleted the 19 infections found (my fault I didn't read till the end). Will that be problematic
- I can seem to download Hijack this. It's weird because I can't seem to unzip. I get the following message: "can't create output file C:/program files/hijackThis/hijackThis.exe". However, I was able to unzip the runkeys and newfiles? It also says I no longer have winzip???? Do I need to download a paying winzip?

Finally my system has gotten really slow since I downloaded all this extra stuff. I am also getting continuing messages from Counterspy asking me if such and such should be opened, etc... Is there anyway of stopping this?

Thanks for all your help

 

Re: Malaware Alarm #3 - hijackThis

Hello,
I was finally able to unzip hijackThis using the administrator. I followed your directions to a T but then got the following 2 error messages:

- Denied write access to the Host file. If any hijacked domains are in this file, HijackThis may not be able to fix this. You need to edit file yourself. Go into Start, Run and type: notepad"C:\Windows\System32\drivers\etc hosts" press Enter. Find the lines HijackThis reports and delete them. Save the files as "hosts"(with quotes) and reboot.

I press OK and then get the following message

- unexpected error has occured ModMain_CheckOther1Item()
Error #75 - Path/File access error and asking me to email merijin@spywareinfo.com

At the end I get a whole list of things but get the following error message:

-Cannot fid C:\ ProgramFiles\HijackTHis\HijacThis.log file
So I have nothing to attach

Please can you help me:cry

 

Re: Malaware Alarm - Vista Cleaning

Hi,

First of all I seem to be having problems saving to C:\. It seems that the only way I can download is on the Desktop. Is that normal? Will it slow down my computer?

- The Combofix worked well and I have attached a log
- Spybot and AVG cleaned some tracking cookies but i couldn't seem get a report
- MGTools was not an easy task. The registry kept popping up and kept getting the message host file denied and to runhijackthis as administrator... it kept saying that I have logs but can't seem to find MGlogs.zip. However I have loads of .txt files now...

- what do I do with this desktop.ini that I have on my desktop and in my programs?

Thanks again for all your help and once again I apologize for being such a dunce when it comes to IT

 

Yes, I did. I have an MGTools folder in C:
I disabled UAC, I double clicked on the .bat document. Got a lot of logs and txt documents but no .zip. Enabled UAC

Now I seem to have a new problem:cry

My WINDOWS SECURITY doesn't seem to be working anymore! It can't even be started...

PLEASE PLEASE HELP ME!!!!

Should I try to do a system restore??? Right now I just want to throw my computer out the window!!!

Thanks for all your help

Joanna

 

Let's get logs from ShowNew, GetRunKey & HijackThis and we will go from there.

• Using GetRunKey
• Using ShowNew

 

Hi,
I wasn't sure if you wanted me to do new scans or repost my scans from yesterday so I've posted yesterdays until confirmation.
Is it normal that my GetRunKey.txt are in my MGTools?
My Windows situation is worsening since I can't even download updates "erro code 80070643".
What about this weird Icon I have on my desktop "desktop.ini"
Thanks for all your help!!!
J

 

Hi,
i don't know if it is important but Counterspy has just detected and removed Bifrost on my computer: HKEY_USERS\S-1-5-21-3842217765-2732907972-2143977413-1000\SOFTWARE\WGET
My Windows Security still won't open and I still can't download updates
Thanks again for all your help with this problem!

 

Anytime I request logs, it always means fresh logs. Anything can happen causing a change and having fresh logs will show any recent changes.

I am not sure, this is still a work in progress and me personally, I am not using this until it's complete. I like to do everything manually where I know it's done right.

Those are legit files, they store settings to tell Windows how to display folders.

 

If you did not purchase either of these please uninstall them now as we are done with them.

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Once you have completed this post, reboot and let me know how things are running.

 

Hi
Thanks for this information.

Before I start any of these recommendations though I would like to double check a couple of things with you:

- Would you like new logs since I sent you some outdated ones?

- Counterspy just detected a Malaware that my Norton didn't detect. Should I therefore remove it? My Norton trial period is also running out and was wondering if I should maybe purchase something better?

- I've been having problems running HijackThis lately but will try to do it again. Maybe it's because I am with Vista?

- It says that ATF Cleaner is for Windows XP. I am using Windows XP but my operating system is Vista. Will that be problematic?

Thanks for all your help

Joanna

 

You can attach the fresh logs once you complete my previous post.

Yes! You can remove it, once removed attach the log so I can see what was found/removed.

Yes! I would personally recommend AVG or Avast AntiVirus. Both are free, do a great job and use very little system resources.

If you have the TrendMicro version it's compatible with Vista.

It's possible, I have not tested it but if it does NOT run on Vista then you can run CCleaner to do the same thing.

 

Hi,
I think I've done everything you asked. However, I am still getting problems with Hijackthis:
- message telling me "Access denied to host"
-Unexpected error has occured. ModMain_CheckOther1Item(). Error #75-Path/File access error. And asking me to email merijin@spywareinfo.com.
- also each time I try to save the log it tells me it can't find it and asks me if I want to create a new one. If I say yes, it gives me a blank notepad page. How can I fix this so that I can send it to you?

I've rebooted my computer and am still having problems with my Windows Security Center - can't open it - and when I try to download an important update it gives me error 80070643. I've gone to their help center and followed their points to restart the Office Source Engine (OSE) service but it is still not working.

I will now try to create new logs for you. Cross your fingers

Thanks

 

Hi,
I've done more recent scans but I can't seem to be able to attach files anymore? Should I start a new thread?

 

Hi
I was trying to upload these using Mozilla but was unable to as I don't know how to control its pop-up blocker.
So here they are using IE.
have you found a solution to my Windows Security problems?

Thanks a million for all of this!!!

 

Please be patient, we have other issues we need to address first.

It appears something is blocking our fix, you MUST shut down any antispy and antivirus programs before doing anything I request.

Go back to post #13 and run it again, once complete reboot and attach fresh logs from GetRunKey, ShowNew & HijackThis.

 

Hi,
I've shut down counterspy but don't know how to shut down Norton... My Windows Security Center is not working... I've downloaded so many things I don't even know anymore what I need to shut down? Is there anyway of knowing?

Is that why I am getting the message "Denied write access to the Host file. If any hijacked domains are in this file, Hijackthis may not be able to fix this. You need to edit file yourself. Click start, run and type: notepad"C:\windows\system32\drivers\etchosts"press enter. Find the lines HijackThis reports and delete. Save the files as "hosts"(with quotes) and reboot?

Is it really bad?!?

Thanks for your help

 

Hi,
So I've removed AVG Anti-Spyware and Sunbelt CounterSpy.
I've had to run the HijackThis as Administrator (that's the only way I don't get that error message).
Is my problem really bad?!?!
I really appreciate your patience with this!!!
J

 

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger, the log (avenger.txt) and C:\avenger.
8. If we had you download any registry patches like fixme.reg, fixme1.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

No, your problem is not bad. I don't believe it's malware related.

Reboot into Safe Mode and see if the Security Center works properly. If it does not then I recommend posting in the Software Forum.

 

Hi,
Just a quick question before I reboot.
-What do I do with MGTools and all its logs? Somehow my HijackThis, GetRun, and ShowNew got in there?
-What do I do with my Hijackthis folder?
- Should I keep AFT and CCleaner?
- My OS is Vista but I am using windows XP. Do I need to run Disable System Restore?

Thanks

Joanna

 

Hi,
Me again
I am sure you are going to be happy when this is over
I have a serious doubt right now... When I did the Read and Run I skipped over step 8 because my OS is Vista... However, does that make a difference if I use Windows XP... Should I have followed that step?
Thanks for your help again
J

 

What do you mean by your OS is Vista but your running WinXP?

 

Post 22, read!

 

Hi,
Sorry I am not very computer litterate.
I just bought this new computer and it is running on Windows Business Vista, however I have downloaded my Windows XP programmes. So I was wondering if I still had to do step 8: toggle system restore on Win XP (Which I didn't do during the Read & Run Me First as I got confused).
In thread #22 There is no mention HijackThis and MGTools and AFT Clean. Do I remove them?
Thanks for your help
Joanna

 

You have Windows Vista, your OS is Windows Vista Business. The term "OS" stands for Operating System.

More information...

 

Yes! Delete anything we used during this entire thread.

 

To disable System Restore please follow these steps...

1. Click on the Start button to open your Start Menu.
   
2. Click on the Control Panel menu option.
   
3. Click on the System and Maintenance menu option.
   
4. Click on the System menu option.
   
5. Click on System Protection in the left-hand task list.
   
6. Uncheck the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.
   
7. Click on the Turn System Protection Off button.
   
8. Press the Apply button and then the OK button.
   
9. Once disabled REBOOT and then re-enable.

To re-enable System Restore please follow these steps...

1. Click on the Start button to open your Start Menu.
   
2. Click on the Control Panel menu option.
   
3. Click on the System and Maintenance menu option.
   
4. Click on the System menu option.
   
5. Click on System Protection in the left-hand task list.
   
6. Put a checkmark in the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.
   
7. Press the Apply button and then the OK button.

 

Hi There,
I've deleted everything we used and was no longer necessary
Rebooted in Safe Mode.
My Windows Security is still not working and will therefore post a thread on the Software forum. Should I specify anything about these threads?
Stupid question maybe, but how do I know my problem is fixed?
Finally 2 little questions:
- I have alot of .txt files, .bat files, .log files in my C drive. Do I need to keep them all? Can I hide them?
- This desktop.ini is on my desktop, in my program folder, in my document folder... Do I need to keep them all?
Thanks again for ALL your patiance and help in this matter
J

 

Sorry,
Since we did these manipulations I am also getting weird stuff in my document folders where I get very light colored entries which start with ~$ which replaces the first letter of entries. Is that normal?!?
Thanks

 

Yes, that is normal because you are viewing all files, you need to hide the files and also hide system files.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file hideme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the hideme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

 

Thanks for everything!!!
I think... I hope all is gone
2 little questions for you before we close this thread:

-Is it normal that I have LOADS of visible little documents on my C:\ drive. For example: BOOTSECT.BAK, tempunkey,xlmBHO,.... The notepad trick you showed removed the ones in My documents folder but not these?

- My Windows Security is still not working... I got an email back from Windows (in French because I am based in France but my computer is English) saying that I have .NET Framework problem? What is .NET Framework? I can't even find it in my computer?

I've tried putting a thread in Software 2 days ago but no news Is that normal?

Thanks again for EVERYTHING

J

 

It is normal to have some files/folders, the ones you listed named "tempunket, xlmBHO" those do not sound like they belong so I would delete them. I would not however delete any files, especially if you're not sure.

Download and install this,

Microsoft .NET Framework Version 2.0

Yes! We are all volunteer and come in when time permits so patience is a must here.