Malware Infection Probable Did R & R 1st & Want to Know if I Still Need To Fix Anythi

Discussion in 'Malware Help (A Specialist Will Reply)' started by vkellogg, Aug 21, 2013.

  1. vkellogg

    vkellogg Private E-2

    I had some sort of malware affecting Firefox & Thunderbird. I've run the Run Me First protocol and will attach logs. In Combofix, I got the cannot find NIRKMD message. The only way I got Combofix to run was to keep hitting OK on the message window every time it popped up. I'm not sure if I should have done that, but couldn't find any advice on what to do in that circumstance anywhere. My logs are attached.:confused
     

    Attached Files:

    vkellogg, Aug 21, 2013
    #1
  2. vkellogg

    vkellogg Private E-2

    Re: Malware Infection Probable Did R & R 1st & Want to Know if I Still Need To Fix An

    Firefox and Thunderbird are still frequently crashing (and I've taken all the steps suggested on Mozilla forums), so I believe I still have some sort of malware on my system. I think I may need to address some of what is in the ComboFix report, but am not sure how to go about it.

    Again, thank you very much to anyone who has time to respond.:confused
     
    vkellogg, Aug 21, 2013
    #2
  3. vkellogg

    vkellogg Private E-2

    Re: Malware Infection Probable Did R & R 1st & Want to Know if I Still Need To Fix An

    Thunderbird is crashing even more frequently than Firefox, and the computer is crashing 3 or 4 times a day.

    I ill greatly appreciate any help.
     
    vkellogg, Aug 22, 2013
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Malware Infection Probable Did R & R 1st & Want to Know if I Still Need To Fix An

    The READ and RUN ME FIRST did not ask you to run ComboFix and you really should not be running it on your own.

    Please attach the requested log from Hitman Pro. You may not be having malware problems.
     
    chaslang, Aug 22, 2013
    #4
  5. vkellogg

    vkellogg Private E-2

    Re: Malware Infection Probable Did R & R 1st & Want to Know if I Still Need To Fix An

    Thank you for responding to my post. I though I had attached HitMan Pro as one of the five attachments, but obviously I didn't. I'll attach it here. MY Win 7 Pro machine keeps shutting down (to blue screen) and Firefox and Thunderbird keep crashing, especially anytime I go to Mozilla Support (but many random times as well). Mozilla s
     

    Attached Files:

    vkellogg, Aug 22, 2013
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Malware Infection Probable Did R & R 1st & Want to Know if I Still Need To Fix An

    You're welcome.

    Did you put the below junk on your PC?
    [RUN][SUSP PATH] HKCU\[...]\Run : Amazon Cloud Player (C:\Users\Administrator\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe [-]) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-2010888278-3844925359-1086979286-500\[...]\Run : Amazon Cloud Player (C:\Users\Administrator\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe [-]) -> FOUND

    Also do you know what the below SM1BG.EXE file is?
    [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : SM1BG (C:\Windows\SM1BG.EXE [7]) -> FOUND
     
    chaslang, Aug 22, 2013
    #6
  7. vkellogg

    vkellogg Private E-2

    Re: Malware Infection Probable Did R & R 1st & Want to Know if I Still Need To Fix An

    Thank you for reviewing my log.

    Yes, I do use Amazon Cloud Player, and generally trust doing business with Amazon (provided I block their tracking/marketing stuff). However, I have no idea what "Wow6432Node" is related to. Should I get rid of it?

    Also, do you believe Amazon's Cloud Player has harm greater than it's benefit of accessibility to any music (CDs, mostly) I've ever purchased from Amazon via any web enabled device? If so, I'll uninstall.

    Afgain, thank you for your time in reviewing my log.
     
    vkellogg, Aug 22, 2013
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Malware Infection Probable Did R & R 1st & Want to Know if I Still Need To Fix An

    You're welcome.
    Okay, I have seen lots of complaints from people saying it slowed their PCs down.

    That's not what I was question. That is a Windows related registry key name. I was questioning this >> SM1BG.EXE

    Reports seem to imply it is related to Cypress Semiconductor. Possibly for external USB drives but I did not see a drive from Cypress.

    You do not have any major malware issues. Just a little junkware to cleanup but this is not going to clear up your problems with crasher. But let's fix it and see what happens anyway.



    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Windows\TEMP\*.*
C:\Users\Administrator\AppData\Local\Temp\*.*
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C3110516-8EFC-49D6-8B72-69354F332062}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{C3110516-8EFC-49D6-8B72-69354F332062}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}]
[-HKEY_USERS\S-1-5-21-2010888278-3844925359-1086979286-500\Software\Claro LTD]
:Commands
[purity]
[EmptyTemp]
[start explorer]
 

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.



    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
    What protection software do you have installed? None is showing in your installed programs list but I see drivers from Comodo, AVG and Microsoft.
     
    chaslang, Aug 22, 2013
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Malware Infection Probable Did R & R 1st & Want to Know if I Still Need To Fix An

    And another comment about SM1BG.exe is
    Does that sound familiar?
     
    chaslang, Aug 22, 2013
    #9
  10. vkellogg

    vkellogg Private E-2

    Re: Malware Infection Probable Did R & R 1st & Want to Know if I Still Need To Fix An

    Thank you for following up again.

    I've attached two copies of the OTM log, which will seem strange. When removing viruses, malware, etc., I've gotten in the habit of saving additional copies of all logs/reports in folders, named for the date of the episode, on another drive. I wasn't sure if I chose the correct file from the C drive so I added the file saved to the other drive as well.

    Additionally, Windows popped up an error report while running JRT and another while running MGTools. A copy of the error message while running JRT (pasted to WORD) is attached. Because the paste into WORD didn't get all of the error message, I took a single window screenshot of the error report while running MGTools. However, I must have made some kind of error while pasting the screenshot into paint because the saved file is blank.

    I only run the Cloud Player to create music Playlists & to download music from Amazon Cloud when I'm not otherwise using that computer, so I don't have a slow down issue.

    As for the SM1BG.EXE, two possibilities come to mind. When I was building this computer, I added USB cards to the board to support the USB connections on the front of the tower, so the SM1BG.EXE could be related to that. Or, I attach my Samsung tablet to this computer (via one of the front USB ports) to coordinate music playlists (to take on the road with bluetooth speakers), to copy in links to ebooks, etc.

    I use Microsoft Essential Security and Comodo Firewall and Defense+. The AVG driver must be leftover from trying AVG before deciding on Comodo. I turned my protection off while running the tools. I've re-enabled them now.

    I apologize for running ComboFix without instruction to do so. I got in the habit of using it before I discovered MajorGeeks and was following "do it yourself" malware removal guides. I'll drop that habit.

    So far, everything seems good. Firefox hasn't crashed this morning, while following your instructions from last night, and has reopened all browser windows after reboot. I reopened Thunderbird before writing this post and it has not crashed. I'll reboot again after posting this to make sure everything still works after whatever the error while running MGTools was. If there are problems, I'll post about them from another computer.

    Again, thank you very much for your time and expertise.
     

    Attached Files:

    vkellogg, Aug 23, 2013
    #10
  11. vkellogg

    vkellogg Private E-2

    Re: Malware Infection Probable Did R & R 1st & Want to Know if I Still Need To Fix An

    Thunderbird crashed a couple more times and, while closing Firefox and other windows in preparation for a re-boot, the machine crashed to blue screen. Started windows normally and it seems fine. Neither Firefox nor Thunderbird have crashed in the five or ten minutes they've been open. However, an extra Firefox instance was in my tray and it popped up a MajorGeeks window with a vBulletin Message saying "Invalid Post....". Since my post appears below this post on the computer I'm writing this from, I assume it went through.

    Again, thank you.
     
    vkellogg, Aug 23, 2013
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Malware Infection Probable Did R & R 1st & Want to Know if I Still Need To Fix An

    You're welcome.
    Okay these issues with Firefox and Thunderbird are not due to malware. Your logs are clean. If you continue to have problems with them, you should post in the Software Forum.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Aug 23, 2013
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds