malware problem; read and run me first complete

chasf · Sep 24, 2010

Hello all and thanks in advance for any help I can get! I don't mean to get long winded, but to try to get you up to speed, here is what I’ve done. I'm working on my mom's laptop. it's a Toshiba running Vista with only 1gb of RAM and McAfee VirusScan 2009. last January, she got a trojan that took a little work, but after following some threads and running some fixes, I thought I had it licked Since then I installed Malwarebytes, ATF cleaner, and Spyware Blaster and instructed her to run periodically. (and you know how that probably went) Last weekend she told me the computer will not work properly and that she restored to a date in late august to no avail. So I’ve taken it to my place to work on it. Start up was slow, which I expected, but I was unable to connect to internet -concerning since my PC is able to connect with no issues. I tried to run Malwarebytes but it would not open.

I uninstalled some programs that seemed unnecessary and while in the middle of doing some processing, it crashed and I got a BSOD memory dumping error. Hard restart and wa-lah, the internet connected! so while I had connection I installed firefox and tried to do as many updates as I could. Malwarebytes updated but did not run so I changed the file name and did a quick scan, it only took 6 mins which was concerning to me and found no malicious items. I restarted and ran a full scan, again no malicious items. I really don’t remember what I did next but do know that after a restart I again had no internet and I did not until last night when in the middle of uninstalling a program (sorry don’t remember which) internet suddenly connected. I was in the process of going through the Run and Read Me First (very awesome stuff!) by burning the fixes from my PC to CDs, when internet came back. So I was able to download the fixes.

Starting with SUPERAntiSpyware, I had to change setup file name to SAS.exe so that it would run. No malicious items found. Next I ran Malwarebytes but had to change file name to MABM to run. No malicious items found. Next, Combofix would not start. The window popped up, I selected ‘Run’ but it did not start. Then I had the idea that McAfee was probably blocking so I uninstalled it. Still no dice. I started RootRepeal late last night and fell asleep before it completed. When I woke up the computer this afternoon, I could not tell if it completed or not, so I restarted it. It completed. BTW, somewhere during a restart I lost internet again. After RR completed, memory dumping error again, hard restart and internet is back. Last I ran MGTools.

It is complete.
As of right now, the computer is functioning properly. It has every time after the hard boots, until somewhere something happens or a restart and then I have no internet. I thought maybe it could be a hardware issue, but due to the fact that Combofix won’t run and SAS and MBAM need to be altered, I’m suspicious that there is something the computer somewhere.
Again, sorry for the long post, but that is where I am at.

Kestrel13! · Sep 24, 2010

Starting with SUPERAntiSpyware, I had to change setup file name to SAS.exe so that it would run. No malicious items found. Next I ran Malwarebytes but had to change file name to MABM to run.
Click to expand...

Then you need to attach their logs regardless of whether they found anything or not.

Rename combofix.exe to 123.com and run it in safe mode if normal mode is posing problematic for you.

but due to the fact that Combofix won’t run and SAS and MBAM need to be altered, I’m suspicious that there is something the computer somewhere.
Again, sorry for the long post, but that is where I am at.
Click to expand...

. Last I ran MGTools. It is complete.
Click to expand...

Then you need to attach the C:\MGlogs.zip as well as the log from Combofix if you were sucessful and also the logs from MBAM and SAS

chasf · Sep 24, 2010

Ok here are the logs. I was able to run Combofix after changing to 123.exe. I have no internet again. I burned the logs to a cd and am uploading from my PC.

chasf · Sep 24, 2010

Things are working a little better since the Combofix was run...

Kestrel13! · Sep 24, 2010

Not seeing much to do:

she got a trojan that took a little work, but after following some threads and running some fixes, I thought I had it licked
Click to expand...

Just so you know, you should never follow advice from other threads, always most sensible to start one of your own.

Important Notice: A new version of SUPERAntiSpyware is available.

Please uninstall your current version (this is necessary).

Then download this SUPERAntiSpyware

Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.

After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.

Now run a new full scan of your system. And attach this log later.

Running from: c:\users\Owner\Desktop\123.exe <--- Rename back to combofix.exe

Now we need to use ComboFix

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.

If ComboFix tells you it needs to update to a new version, make sure you allow it to update.

Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
Code:
KILLALL::

Folder::
C:\Users\Owner\AppData\Local\temp\Low
File::
C:\Windows\temp\BIT7C24.tmp
C:\Users\Owner\AppData\Local\temp\966cG7kx.exe.part
C:\Users\Owner\AppData\Local\temp\8.0.30.1-EasyShrx.Dll
C:\Users\Owner\AppData\Local\temp\FP_PL_PFS_INSTALLER.exe
C:\Users\Owner\AppData\Local\temp\gd5531.tmp
C:\Users\Owner\AppData\Local\temp\gd5531.tmp.gg
C:\Users\Owner\AppData\Local\temp\InstallManager_BAB_BAB.exe
C:\Users\Owner\AppData\Local\temp\is-NKHUR.tmp
C:\Users\Owner\AppData\Local\temp\MSIA378.tmp
C:\Users\Owner\AppData\Local\temp\MSIa6ca7.LOG
C:\Users\Owner\AppData\Local\temp\MSN40E6.exe
C:\Users\Owner\AppData\Local\temp\MSN40E6.tmp
C:\Users\Owner\AppData\Local\temp\nslD3B5.tmp
C:\Users\Owner\AppData\Local\temp\osd.xml
C:\Users\Owner\AppData\Local\temp\SetupExe(20100920194732FF4).log
C:\Users\Owner\AppData\Local\temp\TFRB089.tmp
C:\Users\Owner\AppData\Local\temp\VistaLib32_1.dll
DirLook::
C:\Windows\Low 
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Tell me again how things are running. Don't forget to attach the new SAS log.

chasf · Sep 25, 2010

Here are the logs. Things do seem to be getting better. Internet is connecting everytime!

chaslang · Sep 25, 2010

You still did not install the new version of SUPERAntiSpyware. You have to follow the instructions as written. You MUST uninstall SUPERAntiSpyware inorder to get the program version to update. They have an inadequacy in their update program that only changes the database versions but not the main program version when you just use the built-in update mechanism.

Please explain if you are still having any malware problems.

chasf · Sep 25, 2010

Try this one. Things do seem back to normal.

chaslang · Sep 25, 2010

chasf said: ↑

Things do seem back to normal.
Click to expand...

Good.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

chasf · Sep 25, 2010

OK-

I left SAS, MBAM, and CCleaner on there. Uninstalled ComboFix. Reinstalled SpywareBlaster, installed AntiVir Personal, ran Windows Updates and installed, installed Java, and disabled Windows Defender.

Anything else I need to remove or add or any other suggestions or advice? BTW, I installed Firefox. Any suggestion between FF or IE?

Thanks so much for everyone's help! This has actually been kinda fun!:-D

chaslang · Sep 25, 2010

You're welcome.

chasf said: ↑

Anything else I need to remove or add or any other suggestions or advice?
Click to expand...

You really should install a real firewall as suggested in those instructions. Also you should add more memory. The minimum we recommend fof Vista is 2 GB and you really do not even have 1 GB of usable memory since of the 1GB that came with your PC, it looks like they steal about 128 MB for the onboard video card. Your logs showed
Code:
Installed Physical Memory (RAM) 1.00 GB 
Total Physical Memory 893 MB 
Available Physical Memory 276 MB 
chasf said: ↑

Any suggestion between FF or IE?
Click to expand...

I prefer IE myself. Some people like Firefox. In reality IE is more secure than Firefox these days. Even if you decide to primarily use Firefox, you will still need IE for many websites including Microsoft. You will not be able to get all of your updates without it.

Log in or Sign up

malware problem; read and run me first complete

chasf Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

chasf Private E-2

Attached Files:

combofix log 9-24-10.txt

mbam-log-2010-09-23 (00-02-17).txt

MGlogs.zip

SUPERAntiSpyware Scan Log - 09-22-2010 - 00-28-14.log

chasf Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

chasf Private E-2

Attached Files:

SUPERAntiSpyware Scan Log - 09-24-2010 - 20-57-07.log

MGlogs.zip

combofixlog.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chasf Private E-2

Attached Files:

SUPERAntiSpyware Scan Log - 09-25-2010 - 12-18-09.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chasf Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member