Malware Problems

Artemis is not a trojan. It is a name McAfee has given to their supposed newer scanning technology. See: http://www.mcafee.com/us/enterprise/products/artemis_technology/index.html

IMHO: A cause of many false detections and confusion.


You need to run step 6 of the READ & RUN ME as requested to disable your Disk Emulation software since it is clouding up the logs. Do this now before continuing.

You have a Master Boot Record infection that McAfee is not telling you about.



Please download HelpAsst_mebroot_fix.exe by noahdfear and save it to your Desktop

• Double click HelpAsst_mebroot_fix.exe to run it and follow any prompts.
  • If the tool detects an mbr infection
    • please allow it to run mbr -f and shutdown your computer.
    • Upon restarting, please wait about 5 minutes after bootup, and then click Start>Run and type the following bolded command, then hit Enter.
      • helpasst -mbrt
    • Make sure you leave a space between helpasst and -mbrt
    • When it completes, a log will open.
    • Attach this log to your next message.
  • If the tool DOES NOT detect an mbr infection and completes running:
    • Click Start>Run and type the following bolded command, then hit Enter.
      • mbr -f
    • Make sure you leave a space between mbr and the -f
    • Now, please do the Start>Run>mbr -f command a second time.
    • Now shut down the computer (do not restart, you must shut it down), wait a few minutes then start it back up.
    • Give it about 5 minutes after the bootup and then click Start>Run and type the following bolded command, then hit Enter.
      • helpasst -mbrt
    • Make sure you leave a space between helpasst and -mbrt
    • When it completes, a log will open.
    • Attach this log to your next message.

No matter what happens with the above, attach the above logs and then immediately continue with the below in normal boot mode!


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Based on your logs, you still have the infection and the procedure did not work properly due to McAfee getting in the way of the removal process. Since McAfee is not detecting or removing the malware, you will have to uninstall McAfee so that we can manually do what it cannot do.

After you uninstall McAfee, reboot your PC, then repeat the instructions I gave you in message #3 and attach the new logs. We have almost a 100% success rate with this procedure.

 

Okay McAfee did not uninstall properly. Also it looks like you may have a few other infections which are complicating the MBR infection removal. Let's first cleanup McAfee.

Please download and run this: McAfee Consumer Product Removal Tool

Now please see step 6 of the READ & RUN ME and run it to disable your Disk Emulation Software which is making the rest of the cleanup more difficult. Make sure that you remain in the disabled state until we are finished with malware removal. If you are already disable, you can ignore this, but I need to be sure that you have disable it and you keep it that way.

Then uninstall My Way Search Assistant

Now delete the C:\Avenger folder since it is getting very large and making your logs also get to long.


Now go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)

After clicking Fix, exit HJT.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

The above will not finish off the MBR infection but we need to get this out of the way before continuing and I need to be 100% sure that you have no disk emulation software (like Alcohol and Daemon Tools ) running!

 

Thanks! I just needed to be sure since it could mislead us in interpreting the logs.

It worked properly and indicates that you do not have a TDSS infection that I was concerned about. Thus the MBR infection is what we have to focus on now.

I want you to run all of the steps from message # 3 again beginning with the line that says

Make sure that you even redownload the tool.

Also it is extremely important that you wait at least the 5 minute interval of time as specified and DO NOT do anything else on the PC while waiting, Try to be very exact in following the instructions.

If it does not work properly this time, we will have to resort to using your Windows XP boot CD. Do you have one? We need to run the Recovery Console from the CD as the Recovery Console installed using ComboFix will not work properly to remove this infection.

 

Trying using the below process from Dell to repair your infected MBR.

http://supportapj.dell.com/support/topics/global.aspx/support/dsn/document?c=my&l=en&s=gen&docid=26B720E7D596B89DE040A68F5B280867


After you successfully run this, attach a new log from MGtools ( you need to run C:\MGtools\GetLogs.bat again )

 

Can you borrow a Windows XP boot CD from someone? But do note that fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr ( and the latter not recommended since it can be very dangerous to your security especially financially ).

 

Yes it would and hopefully it woud rewrite the drive from an image which includes rewriting the MBR. If it does not rewrite the MBR, you would have wasted you time because you would still be infected.

However do note that it is possible that if the System Restore option you are referring to was going to try restoring from a drive partition on your hard disk, that it may not work at all since the act of attempting to fix the MBR infection could have possibly broken it.

You can back up all your personal data. This infection is not known to infection your personal data and rarely impacts other files on the system at all.

Yes there are other possible options like trying to boot to the Recovery Console you installed with ComboFix and then running the fixmbr command. You may or may not be able to even boot to this installed Recovery Console due to this infection, but you can try. You will see the options for it show on your screen shortly after you start your PC. You need to respond by hitting the up/down arrow key (quickly) to choose the Recovery Console and then hit enter. Then you will need to select your Windows installation ( normally # 1 the C:\Windows installation). The when you finally get to the command prompt, which is a black screen with a C:\Windows> prompt, you will have to enter the fixmbr command. You will get a warning about this since you are running a Dell system with a Non-Standard MBR (thans Dell) but fixing the MBR with fixmbr is the only option other than the factory restore.

 

It would be a good idea to download the current version of MGtools and attach a new log just to be sure.

You're welcome. No it is not a waste of time. We have learned something here. The infection is evolving again. The creators have now learned how we have been removing it and they changed the infection to block our fixes. We will now have to determine what they have modified so that we can adjust things on our end to detect and remove the new forms of infection. If companies like Dell would learn to not make modifications to Windows and would provide proper CD/DVDs with their PCs so that users can repair things without requiring a reinstall, life would be easier for all.

 

You're welcome.

Your MBR infection is gone.

I don't see MyWay in your install list. I just see a browser main page setting, but do the below anyway.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

After clicking Fix, exit HJT.


Now locate the C:\MGtools\RemMWS.bat file and double click on it.



Now if you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. Go to add/remove programs and uninstall HijackThis.
3. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
4. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome. Surf safely!