I'd like to help out the malware forum

Greetings,

I'm a big fan of what you guys do here and would like to help out.

I'm a computer technician for a local PC Repair shop and consider myself to be very knowledgeable about how to go about removing malware from a compromised PC. It's something I enjoy very much.

I haven't helped on other forums, but I recently started helping out on MG's Software forums and really enjoy that, but there is sometimes a lot of downtime and I find myself wanting to help out more. I'm subscribed to MG's RSS feed as well as Grinler's latest virus removal tutorial threads via RSS on my phone.

I'm not familiar with all of the MGtools, but I'm sure I can pick it up quickly with a little guidance.

I took a screenshot of my virus removal folder that I use at work, since I'm not able to provide any up to date proof of me helping people with virus removals.

I don't know what else to write here, but I'm sure if you're interested you have some questions for me.

Thanks for reading

 

Great, looking forward to it

I have gone through all the Run and readme first threads as well as the proceeding winxp,winvista,win7 removal threads. i've followed some of the specific/stubborn removals threads such as tdl3/tdl4 infections where you have to use even more tools than described in the initial README.

I've noticed you guys want to make sure combofix kills certain files/folders by using CFScript.txt, and it looks like most of these are gathered from runkeys.txt or previous combofix.txt files.

I think I could pick it up rather quickly, I'm very familiar with all of the tools you already use except the MGtools which I'm trying to familiarize myself with.

 

Ok, trying to find the next thread that needs servicing and I came up with this one

Runkeys.txt has:

regist~1.job Jun 12 2011 280 "RegistryBooster.job

also:

http://ss.websearch.ask.com/query?qsrc=2922&li=ff&sstype=prefix&q={searchTerms}"

First I'd have them uninstall Uniblue RegistryBooster if possible, have them reboot PC to safe mode so changes take affect. Combofix for whatever reason doesn't pick it up as malicious anymore , it's very troublesome though and free to get anyways if you were to install limewire/frostwire it comes bundled with it.

Have them look for and remove ask.com toolbar from add/remove programs.

Code:

KILLALL::

File::
C:\WINDOWS\Tasks\RegistryBooster.job

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif



From newfiles.txt

NPE Jun 11 2011 "NPE"
{AB2D8~1 May 10 2011 "{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}" // Not sure what this is

These look suspicious to me, at the root of C:

Locating all files created in C:\
189A7D~1 Nov 8 2009 "189a7dd8761dc2a950"
24.tmp Aug 27 2010 0 "24.tmp"
27.tmp Aug 25 2010 0 "27.tmp"
2d.tmp Aug 25 2010 0 "2D.tmp"
2e.tmp Aug 27 2010 0 "2E.tmp"
2f.tmp Aug 25 2010 0 "2F.tmp"
30.tmp Aug 27 2010 0 "30.tmp"
37.tmp Aug 27 2010 0 "37.tmp"
3a.tmp Aug 25 2010 0 "3A.tmp"
3c.tmp Aug 25 2010 0 "3C.tmp"
3e.tmp Aug 25 2010 0 "3E.tmp"
3f.tmp Aug 27 2010 0 "3F.tmp"
41.tmp Aug 27 2010 0 "41.tmp"
44.tmp Aug 27 2010 0 "44.tmp"
6d.tmp Aug 25 2010 0 "6D.tmp"
6f.tmp Aug 25 2010 0 "6F.tmp"
72.tmp Aug 27 2010 0 "72.tmp"
74.tmp Aug 27 2010 0 "74.tmp"

Im also questioning these:

branches.pnf Jun 12 2011 4676 "branches.PNF"
infcache.1 Jun 12 2011 1458352 "INFCACHE.1"

They have 2 entries of

Uniblue RegistryBooster
Uniblue RegistryBooster

in the "Dumping HKLM Uninstall Programs list"

If MSI installer is broken, see if the service is started, i've heard it can be started from safe mode but i haven't had any success with that.

So i'd go back to normal mode and run the following from cmd prompt

msiexec.exe /unregister
msiexec.exe /regserver

 

Hehe sup, yes I'm currently looking for another one that hasn't been serviced yet.