Coworker's daughter's computer

Discussion in 'Malware Help (A Specialist Will Reply)' started by SWario, Feb 27, 2010.

  1. SWario

    SWario Sergeant

    OS: Windows Vista SP2
    CPU: Intel Pentium Dual-Core T3200 2.00GHz
    RAM: 2 GB

    Another one! This one arrived operational, but a bit slow (and with only Vista SP1 - it was missing SP2!). User complained about not being able to install a new antivirus software due to an error message telling him to restart constantly. After taking a brief look, it looks like lots of optional toolbars had been installed, as well as some known malware (My Web Search). He also said that a popup "from the computer" told them to buy a program called "RegistryBooster" to fix their problems: so he did. (at this point I grimaced visibly in front of him) However, I also couldn't find immediately obvious evidence that RegistryBooster was malware, so I assume when he said "popup from the computer" he meant an ad on a website, and it was just sketchy advertising.

    It may be worth noting that MGTools seemed to run completely through by just running MGTools.exe and not having to run GetLogs.bat separately. Please let me know if I am mistaken, and it needs to be run again.

    Anyway, logs are attached, and I'm not sure that everything is taken care of. Let me know if something still needs cleaned up or if there are any special procedures to follow.

    Thanks!
     

    Attached Files:

    Last edited: Feb 27, 2010
    SWario, Feb 27, 2010
    #1
  2. SWario

    SWario Sergeant

    And the last log.
     

    Attached Files:

    SWario, Feb 27, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The logs are clean, but there is no AV program installed!! I suggest you install one ASAP.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to tahe cleaning procedures ian step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
      a
    8. After doing the above, you should work thru the below link:
     
    TimW, Feb 28, 2010
    #3
  4. SWario

    SWario Sergeant

    Clean? Woot! That was easier than I thought it would be. Yeah, I uninstalled the existing antivirus to try and install the new one before I realized that there was an infection. I'll be installing antivirus on it tonight after I do your final steps.

    Thanks again Tim!
     
    SWario, Feb 28, 2010
    #4
  5. SWario

    SWario Sergeant

    Tim,

    Just a couple observations to share, and I didn't think it warranted a whole new thread.

    In #2 of your last instructions, when uninstalling ComboFix, it prompts the user with the "Disclaimer of Warranty on Software" dialog box. Clicking "Yes" completes the uninstallation.

    In #5 of your last instructions, I uninstalled HijackThis via Add/Remove Programs. However, when doing so, I was prompted with a "There was a problem while trying to remove HijackThis. It may already have been uninstalled. Would you like to remove HijackThis from the list of programs?" I clicked "Yes".

    In #7 of your last instructions, you refer to "Step 3 for your Window version" to toggle System Restore. I think you meant "Step 6: Toggle System Restore" (at least for Vista; it is Step 4 for Windows XP). You've also got a few spelling errors in #7.

    Just trying to clear up some possible questions/confusions. I got what you meant, but that doesn't mean all users will. ;)


    In the Vista Cleaning Procedure, the last part of Step 5 says:
    It should say "step 6".

    Now I need to finish updating this user's antivirus and software, and then I need to educate them on how to keep their computer safe. Thanks again for all your help!
     
    SWario, Mar 1, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Thank you for the proof read. I will pass this along to the rest of the team.
     
    TimW, Mar 1, 2010
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds