Possible W32/Gaobot.worm......virus infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by Odeho19, Sep 18, 2009.

  1. Odeho19

    Odeho19 Private E-2

    Hello, my name is Odean, and I believe I've got a virus on my Dell XPS 410, Vista Ultimate SP2 computer. I've got an Intel Core2 CPU 6600@ 2.40 GHz processor, with 2G Ram on a 32 bit system. I switched to using Chrome as my browser, and before that I was using FF. I was trying to watch a movie last night that I got from a friend of mine as a .zip file, and tried to extract it. Couldn't get it to extract properly, or view it, so I just gave up and went to bed. Later when I woke up, I found my system to be behaving strangely, so I thought I'd run a random Virus scan with my AVG Free that I have installed. While I was running that scan, I got a couple of warning messages regarding the virus I apparently have. That's when I started writing the information that follows.


    I've been infected with some sort of worm/virus. I've gotten a warning message stating that I've been infected with the following: W32/Gaobot.worm.gen.u-Win32/RBot.3eu I am losing icons,(meaning, custom icons are being replaced by MS generic ones on software I've installed on my PC), and now the ability to run some programs, (i.e. mrt, Spybot S&D, SuperAnti-Spyware, Malwarebytes-Anti-malware, and all of my System Restore Points have been erased.). What I get when I try to run these, is an Explorer Warning box that states, "Windows cannot access the specified, path, or file. You may not have the appropriate permissions to access them." I've run a scan this morning with my AVG Anti-virus, and this is how I found I had the infection. It states that I have over 33,000 'unhealed' files. ( And I do run my Anti-virus regularly) When I click to heal them I get a statement that says "Scan result manager is not initialized", for ALL of them. While I was doing some research, was when I found out that my anti-spyware programs are not working. Malwarebytes wasn't working properly before this issue anyways, but that's being worked on by myself, and that company. (It closes down EVERYTIME I click on the button "remove infected") There now is a pop-up opening that states my "b.exe file has stopped working. But not knowing enough about this, I'm afraid to do anything to it,(it's a process running in my Task Mgr.) I clicked on it's file path, and noticed another file listed nearby called 'c.exe'.

    The first thing I've done here now, is run the "Read and Run me 1st" guide. Here is what I've run in to so far:

    1. Ran through the 1st 5 steps with no hitches. Everything worked well.

    2. Running the Vista Cleaning Procedure is where I run in to more problems. Everything went correctly up until Step 3. I tried to run SAS, and had it installed on my desktop. Clicked to start the scan, and it just dissapeared completely. It didn't run any scan at all. Same thing happened to Malwarebytes.

    3. ComboFix however ran perfectly, and the computer seems to be running MUCH faster, and smoother.

    4. RootRepeal was another problem program. It started to do it's scan, and for quite a while it went well. Then it hung up, (with what appeared to be hundreds of lines in the "file path" column, with the line "Locked to Windows API!" after them.) Then it just closed on its own.

    5. Ran MGtools, and everything went as planned. MGlogs.zip got created, and I closed the cmd.exe window out.

    Alright, I was just about to post, when I saw that your system had found some other poor souls that had problems similar to mine, so I read a couple of their posts. Then I went back, and ran SAS & Malwarebytes in Safe Mode. SAS quit again like before and said that "I didn't have permissions to run it". But Malwarebytes this time, did run a Quick Scan, but instead of the 7 issues it had before todays problems, now there are 9. And I'll include that log as well.

    Edit: When I returned from Safe Mode, there a few things on my desktop that weren't there before: 2 seperate "desktop.ini" files that apparently just contain configuration settings, and a procdll.txt notepad that I'll attach just in case you need it.
     

    Attached Files:

    Last edited: Sep 18, 2009
    Odeho19, Sep 18, 2009
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please attach the log from RootRepeal into your next response. Also tell me: Did you have MBAM fix what it found? As your log reveals you didn't take any action for any of the files found.

    In the meantime I will start reviewing your other logs. Thanks for your patience during this time.

    Kes13!
     
    Kestrel13!, Sep 22, 2009
    #2
  3. Odeho19

    Odeho19 Private E-2

    There is no way to give you a log for RootRepeal. The program shuts down on itself, and I can't find a log for it anywhere. So what I've done instead, was run the program, and take 4 screen captures of what was on the screen while it was trying to scan my system. These are 4 shots in Photobucket.

    1) http://i475.photobucket.com/albums/rr114/Odean_H/Rootrepeal1.png
    2) http://i475.photobucket.com/albums/rr114/Odean_H/rootrepeal2.png
    3) http://i475.photobucket.com/albums/rr114/Odean_H/rootrepeal3.png
    4) http://i475.photobucket.com/albums/rr114/Odean_H/rootrepeal4.png

    As for Mbam, as stated in my first post, the product also shuts down on itself immediately after I click on the button to fix the infected files, so there wouldn't be any files fixed, and also no action taken. Sorry about that, but I don't know what else to do with that software, and I haven't heard back from the developer yet, as to a possible solution for it. I'm going to wait to hear from you first, even if they do get back to me with their solution, before I do anything to their product. I'll post to you with their solution for their product, IF they come up with one.

    Latest changes are that there are 3 ".reg" files in my C:\Users\Odean\Documents folder now, that weren't there before. All three start with "cc", and all show as being registry entries. I don't know where they came from, and they don't disappear after "hiding" files, and folders.

    The fourth screenshot shows a small window in the middle of the shot. That window had nothing in it, and when I dragged it around, you could see thru it. The text that you see in it, is actually the text that was there for those lines in the report.

    Thank You,
    Odean
     
    Last edited: Sep 23, 2009
    Odeho19, Sep 23, 2009
    #3
  4. Odeho19

    Odeho19 Private E-2

    Sorry about this. Don't mean to bump my post, but I found these logs this morning, and thought you might need them. They're apparently from my first attempts to run RootRepeal, and I didn't know they existed. I hope they help.
     

    Attached Files:

    Odeho19, Sep 23, 2009
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    1. Now we need to use ComboFix

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

    Code:
    KILLALL::

File::
c:\users\Odean\vbzip10.dll
c:\windows\system32\drivers\wvulqxgnnemttiem.sys
C:\Windows\win32k.sys

DirLook::
c:\users\Odean\{3a967938-aa8f-4682-a6d7-a589fdb70d8c}
c:\users\Odean\'
C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below


    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    2. Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).
    3. Now do the following (make sure you redownload the file. Do not use the old copy.):

    • Download this Win32kDiag(If on your desktop - Right click and choose copy / then Open my computer, click on the C drive and in the window paste it there) and save to C:\Win32kDiag.exe. You must save it here!!!!
    • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log


    • C:\win32kdiag.exe -f -r


    4. Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Then attach the below logs:

    • the new log from Win32kDiag
    • C:\MGlogs.zip
    • C:\ComboFix.txt

    Make sure you tell me how things are working now!

    5. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

    6. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Oct 6, 2009
    #5
  6. Odeho19

    Odeho19 Private E-2

    Alrighty then! rolleyes I've run everything you asked for, and attached the subsequent logs. The only problem I encountered while running them are as follows:

    1. While running Combo Fix, and error window popped open and said it couldn't finish because of a file that wasn't available. (?) Didn't get the file name, but I'll re-run the program again if you'd like, to get it.

    Otherwise, running these tests went smoothly enough. I've re-enabled my security software, but I'm curious as to when SAS, and Malwarebytes will be able to be run, and run correctly. I'll wait for your next message before I run anything else. I haven't heard anything back yet from the Malwarebytes team as to what they've figured out is wrong with their product either. I'll let you know.:confused

    So far, everything else SEEMS to be running smoothly, and still fast, but like I said, I haven't run any other scans, so I'm unsure if the Virus is still in the system or not. Thanks for your help!
     

    Attached Files:

    Odeho19, Oct 7, 2009
    #6
  7. Odeho19

    Odeho19 Private E-2

    Sorry to re-post, but this came to me AFTER my edit time was up. Last night @ about 1:00 A.M., my internet connection died. I had nothing. I called my cable company, and was told everything was fine on their end. My router was working correctly too. But here on the PC itself, there was no working connection. Then when I woke up this morning, everything was back to normal.

    Don't know if this matters, as I don't recall this happening before, but thought I'd mention it.
     
    Odeho19, Oct 7, 2009
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to reset the permissions altered by the malware on some files.
    • Download this tool and save it to your Desktop: Inherit.exe
    • It must be in your Desktop or the below fix will not work!
    Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). While this is running, you will get several/many popups that have a title FInish and say OK. Just click the OK button each time. This is an indication that it has found a file and has attempted to fix permissions. Depending on how many files that need to be fixed, you could get only a few or many of these popups.


    And then see if you can run SAS and MBAM. If so, update it, fix all it finds and attach logs into your next reply.
     
    Last edited by a moderator: Oct 12, 2009
    Kestrel13!, Oct 12, 2009
    #8
  9. Odeho19

    Odeho19 Private E-2

    Alrighty then, here we go with my update..... I downloaded the Inherit.exe tool as instructed, to my desktop. Then I ran the FixPerm.bat file. Everything went very well. I counted 19 different files it needed to fix permissions for.

    Then SAS, and MBAM were run. The log for SAS that is attached is from todays running, and it worked PERFECTLY, as though nothing were ever wrong! :-D
    MBAM, on the other hand, ran the scan, (which is better than the performance I had gotten out of this product prior to running several of the tools you've instructed me too). Then, however the problems began.

    MBAM found 7 Trojans, and had them quarantined. But then, when I clicked on "removed selected", it started to remove them, and then it "stopped working" again, and I got the same explorer window as before, stating that the product had stopped working, and would be shutting down. The log that I've attached regarding MBAM, is from 9-20-2009. I thought maybe if YOU looked at it, you might see something that no one else has been able to, or maybe it might be helpful to you somehow. I still haven't heard from the developers of MBAM regarding any solution as to what to do with their product to fix it, yet. I'll send them another message right now, and ask them for another progress report. This time, I'm also going to include a link to this string, so that maybe they can find some clues as to why their product isn't working through some of your efforts here.

    Otherwise, my only questions for you would be, what can I remove from my desktop so far, such as the Inherit.exe file, or can I "hide" the files and folders from view that were previously hidden? I would have done this on my own, but I'd rather not take any steps unless or until you tell me too. I haven't downloaded, or installed anything since this process has begun unless it's through you, ( with the exceptions of Windows Updates, of course). So, if there are any other steps I can or should take that would help clean things up some, I would like you to let me know what those would be.

    Thanks for your help so far, and I hope I've been doing this correctly..... rolleyes
     

    Attached Files:

    Last edited: Oct 13, 2009
    Odeho19, Oct 13, 2009
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    MBAM needs to be updated (So update MBAM, then boot into safe mode > run a new scan, fix all it finds and attach the log it produces.) and SAS is way out of date.

    Get the new version of SAS installed following the below instructions, run a scan with that > fix all it finds > and attach the log into your next reply here.

    Important Notice: A new version of SUPERAntiSpyware is out.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this log later.

    Also:I would like to ask you about he contents of this directory c:\users\Odean\'

    Did you put those files there? If not please delete the whole folder. Let me know.
     
    Kestrel13!, Oct 15, 2009
    #10
  11. Odeho19

    Odeho19 Private E-2

    Okay, so, I did as you instructed, and I updated MBAM, went to safe mode, and ran it. And the same thing happened AGAIN! Nothing changes. It runs it's course, tells me there are 7 infections,(Trojans), and when I click on the button, "Removed Selected", it starts to remove them, and then it shuts itself down. This time however, I stopped the process, and took a screen capture of the process for you. Also, I expanded the view of the 7 viruses as much as I could to hopefully give you more information. So, there is no new log to attach for you. It didn't create one. The newest one there is, is the one that I attached to my last post.

    As for SAS, I was unaware there was a newer version, but that's been taken care of. The log of that run is attached also. Everything ran MUCH smoother, and quicker, and it said it only found 1 tracking cookie.

    As for the file C:\users\Odean\', that you mentioned, I've never seen it before, and didn't know it existed. I did notice that this folder was 'dimmed', somewhat, suggesting to me, that it is hidden, along with all the others when I switch my folders view back. When I looked at it, all it appears to have been to me is a list of movies from something:confused, so I deleted it. If I go through that directory some more, and find other things like this, can I get rid of them also, or is this the only one you were concerned with?

    Otherwise, like I already said, things are running much faster, and smoother than they were before. And it does appear that even the scans are getting finished faster as well. I did send off a message to my contact at MBAM, and he got back to me, and said that they are well aware of your Web Site, and have in fact used it in the past. But they will look into THIS particular string to see if it will help in determining why I'm having an issue with their product. So for now, I'll just wait for your next instructions.........:wave
     

    Attached Files:

    Odeho19, Oct 15, 2009
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Oct 16, 2009
    #12
  13. Odeho19

    Odeho19 Private E-2

    Ran the GetLogs.bat file, as requested. Got a couple of error messages while running it. Took screen shots of them. Log is attached w/ screen shots.
     

    Attached Files:

    Odeho19, Oct 16, 2009
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Why did you install avg when you already have bullguard as an anti-virus? Please only do what we request you to do whilst cleaning your machine of malware.

    The real-time protection of two antivirus programs may conflict with each other and cause the following:

    • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    • Conflicts: Your system may lock up due to both products attempting to access the same file at the same time.
    • Performance: More that one antivirus will cause your PC to become slow and it may even crash or blue screen.
    • Less protection: Two antivirus trying to scan the same file may interfere with the process and allow a malicious file(s) onto the computer without notice to you.
    Please uninstall one of them now before we continue.

    If you choose to uninstall avg:

    AVG Removal Tool

    Make sure you also delete any AVG folders in Program Files and Docs & Settings/Application Data directories.

    You should then restart your system and run 'CCleaner' in two sections:
    1. Cleaner . run a standard disk clean
    2. Registry > Scan for Issues > fix all issues with AVG found and, to improve your system generally, any other registry problems found. You should run this at least twice. Do agree to the 'back up' it suggests before completing the fix.

    You should now restart/reboot your system.

    Now:

    We need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
C:\Windows\system32\eu-ES
C:\Windows\system32\ca-ES
C:\Windows\system32\vi-VN
File::
C:\Windows\mgxoschk.ini
C:\Windows\TEMP\96bd84e4-592f-4cd8-ae5e-a8e6897a4c58.tmp
C:\Windows\TEMP\c04eb386-780e-4965-881c-d501e7a217f4.tmp
C:\Users\Odean\AppData\Local\Temp\CR_8860.tmp
C:\Users\Odean\AppData\Local\temp\ge34616
C:\Users\Odean\AppData\Local\temp\ge44024
C:\Users\Odean\AppData\Local\temp\ge48676
C:\Users\Odean\AppData\Local\temp\ge61420
C:\Users\Odean\AppData\Local\temp\ge61900
C:\Users\Odean\AppData\Local\temp\ge66320
C:\Users\Odean\AppData\Local\temp\ge7280
C:\Users\Odean\AppData\Local\temp\ge86400
C:\Users\Odean\AppData\Local\temp\~cqd3c~1.tmp  
C:\Users\Odean\AppData\Local\temp\~cqD3C3.tmp.tmp
C:\Users\Odean\AppData\Local\temp\~cqe18~1.tmp  
C:\Users\Odean\AppData\Local\temp\~cqE182.tmp.tmp
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now please also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

    • C:\Windows\TEMP
    • C:\Users\Odean\AppData\Local\Temp
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

    Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Oct 20, 2009
    #14
  15. Odeho19

    Odeho19 Private E-2

    :-D I only have 1 anti-virus program installed and running on my PC. It's AVG free. Bullguard is a product I use to scan my e-mail for spam. To my knowledge, (and it's the ONLY reason I installed this product) this is the only service, this product provides me. I've opened and searched all over inside it, and NOWHERE, anywhere, does it state, in any form, or fashion, that it represents itself, as an "anti-virus" type of product. Therefore, I chose to leave it alone. I have disabled the e-mail protection in all other products I use, and rely on this one alone to stop receiving, or filtering out, spam in my e-mail server.

    In order to run the file+Combo Fix you wanted, I needed to disable all of my other protections that I had running. I wasn't able at the time, able to figure out HOW to do that with AVG, so I uninstalled it. That, and SuperAnti-Spyware, too. Then I found this link while I was reading the instructions for Combo-Fix http://www.bleepingcomputer.com/forums/topic114351.html, but alas, it was already too late for AVG, and they didn't provide instructions on how to stop the protections provided by SAS anyways, so, no harm done.

    Then I ran that scan, and the GetLogs.bat one also. (see attached). There was one hiccup just as the ComboFix was getting started, and I took a screenshot of that for you also, along with another warning that popped up.

    There were no other files to delete, in the two folders that you asked me to check in, other than those from todays' date.

    Other than that things are running fine. I am curious as to what it is you're having me do with these scans. And I know you can't really educate, or teach me what they do, but I would like to know what they are, or what this "kill" file is that I installed in Combo Fix. Is there somewhere I could read up on this, so that I could feel a little more comfortable, and knowledgeable about what it is that I'm doing here? I'm doing all this work, and I'd just feel better if I knew what it is that's going on here. Plus, I'd like to know what it is that I did wrong, that you feel the need for the "LET ME KNOW HOW THINGS ARE GOING NOW!" comment? I'm pretty sure I'm not holding anything back here, and I thought I was doing EVERYTHING you've asked, as quickly, and thoroughly as possible, and providing as much info as I know that I should. Am I not providing enough feedback? Or am I doing some things wrong? I'd like to know...... Thank You......:wave
     

    Attached Files:

    Odeho19, Oct 20, 2009
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry we misread your logs as Bullguard also provides a full security suite as you can see from this:

    http://www.bleepingcomputer.com/startups/bg-561.html

    and also from this:

    http://www.pcpitstop.com/libraries/process/i/BullGuard.exe.html

    You did not need to uninstall SAS or disable it because the free version does not provide any protection and does not interfere with malware removal steps.

    The last scans were just putting in the finishing touches to make sure that the items in your Temp folder and one ini file, that is a remnant from a Vundo like infection, were cleaned up.

    Your initial logs showed you had a very nasty Windows Police Pro type infection and much work needed to be done to cleanup the problems that it causes to PCs. So basically, everything being done was to remove and repair what it did to your PC.

    No you cannot readup on it anywhere as this information is not made public so that we can keep the malware creators from knowing what we are doing. Revealing our secrets openly would be like them creating malware and then telling us how to remove it.

    If you wish to learn about malware removal and tools used to remove malware, you can sign up for training at one of the sites listed in this link: Becoming A Malware Forum Helper

    However be aware that it will be a long time consuming path since there is much to learn, but you will not learn anything about advanced tools like ComboFix for a long time.


    Your logs are now clean. If you are not having any lingering problems with permissions on any files, folders or registry keys ( you would notice these when trying to install or run programs or when trying to delete any files or folders) then it is time for final instructions posted below which cleans up after all of our procedures.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    Last edited: Oct 24, 2009
    chaslang, Oct 22, 2009
    #16
  17. Odeho19

    Odeho19 Private E-2

    I just want to say an official THANK YOU! to both Kestrel 13!, and Chaslang for your help with this issue of mine. I've run through all of the information in Chas' last post, and EVERYTHING looks great!

    I was wondering about something I read in the "How to Protect yourself from malware!" article. In step #11, about half way down there is a warning about "be very careful to read popups before clicking on them. You probably do not want what they are selling and sometimes the correct answer may be the opposite of what you think. They will choose wording meant to confuse you." And I've run in to friends of mine that have seen these pop-ups, and didn't know any better, and just clicked away to "get the security scan", or "make the virus go away that they talked about". And I've been telling them that the only thing they should be doing with these boxes is clicking on the red "X" in the upper right hand corner to close them out. Don't click on ANYTHING inside the box to make it go away, or close it out, as this will activate whatever crap they've designed it for. Am I wrong about this, or should I change what I'm telling them?

    Again, THANK YOU BOTH, so much for your help, and guidance through this. It is VERY much appreciated. This was extremely interesting for me, and I'm glad we were able to successfully rid the machine of this Virus.
     
    Odeho19, Oct 24, 2009
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.



    Actually it is frequently already too late once the popup has even appeared. But better options are the below:
    • If you have a good firewall installed, have it lock/block the internet. Then kill the browser window using Task Manager or similar.
    • If your firewall does not give such an option, physically unplug the cable to the internet. Then kill the browser window using Task Manager or similar.
     
    chaslang, Oct 25, 2009
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds