Am I clean?

Discussion in 'Malware Help (A Specialist Will Reply)' started by Wolf13, Oct 27, 2010.

  1. Wolf13

    Wolf13 Private E-2

    Hello again,

    Thanks very much for your previous help, but I now have a new problem.

    I've recently acquired a computer from a friend who hasn't touched it for the last two years. He admitted it was virus ridden and sure enough the scans that I have run have shown multiple viruses.

    I would like to make sure that the computer is now clean so would you please have a look at my attached logs?

    Unfortunately I already had CCleaner installed before I started the 'Read & Run Me First' and I ran it with all of the 'Advanced' options except 'Custom Files and Folders' and 'Wipe Free Space'. I'm sorry if this hinders you in any way.

    I also ran Malwarebytes' Anti-Malware after CCleaner but again before starting the 'Read & Run Me First', so this is why the attached log is a couple of days older, but hopefully this doesn't make a difference; I will run these again if need be.

    This is hopefully unrelated but I have been trying vainly to uninstall a program called 'TuneUp Utilities 2008'. As I try to run the uninstaller through Add/Remove Programs I get the following error message:

    'Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.'

    It then proceeds to give me this error message:

    'Fatal error during installation.'

    As I have not installed any of these programs, I don't know how the programs were acquired or anything I don't have any details to give to any 'Support personnel or package vendor'.


    Any help with this is greatly appreciated and I thank you in advance :)
     

    Attached Files:

    Wolf13, Oct 27, 2010
    #1
  2. Wolf13

    Wolf13 Private E-2

    Re: Possible Malware Slowing Internet Connection

    The MGtools log.
     

    Attached Files:

    Wolf13, Oct 27, 2010
    #2
  3. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, Wolf13.

    I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Our queue is working the oldest threads first.

    dr.m
     
    dr.moriarty, Oct 28, 2010
    #3
  4. Wolf13

    Wolf13 Private E-2

    Ok thankyou very much :)
     
    Wolf13, Oct 28, 2010
    #4
  5. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    You're welcome.

    *Since you "inherited" this machine, it would be a good idea to do a thorough search for any remains of the following cracked software and remove them:
    NOTE: I would suggest that you update this browser Mozilla Firefox (3.0.13) for security reasons.

    Step 1:
    Please run the below, re-boot, then run it again:
    Norton Removal Tool (SymNRT) 2009.0.5.26

    Step 2:
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Step 3:
    Now we need to use ComboFix.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Make sure you have shut down all protection software (antivirus, antispyware, firewall...etc) programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text inside of the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
      If it asks you to overide the previous file with the same name, click YES.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:
    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Step 4:
    Try using the below uninstaller to remove "TuneUp Utilities 2008" -
    Your Uninstaller! 2010

    Step 5:
    Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

    Step 6:
    Run this online scanner
    Using ESET's Online Scanner

    Step 7:
    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

    Please attach the C:\MGlogs.zip and the esetscan.txt log to your next reply.

    * Make sure you tell me if you had any problems running this procedure; and answer this - "What malware problems are you still experiencing?"

    dr.m
     
    dr.moriarty, Oct 28, 2010
    #5
  6. Wolf13

    Wolf13 Private E-2

    As you suggested I deleted the cracked files in My Documents, I think that's the last of it anyway.
    I also updated Mozilla Firefox to the latest version.

    The Norton Removal Tool ran smoothly without any hiccups, as did HijackThis and ComboFix.

    I managed to remove TuneUp Utilities 2008, thankyou for the suggestion of Your Uninstaller! 2010 it worked like a charm, however I noticed that in the list of programs, 'Windows Internet Explorer 8' was found to be corrupt. I was wondering if a simple reinstall would fix this and if it is any indication of a malware infection.

    Otherwise no noticeable issues, I have attached the requested logs, ESET's online scanner found a few items.


    Again thankyou for all the help you've given me.
     

    Attached Files:

    Wolf13, Oct 28, 2010
    #6
  7. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    You're welcome!

    *I see that you've done some additional cleanup and installs --- beyond what I gave to you... that's adds time to my review of your logs - tracking all of the unexpected changes; and could have resulted in attempted installs being broken.

    The C:\MGTools\Process.exe Win32/PrcView application is a false positive, and the infected restore points will be dealt with in my final steps.

    Let's run Combofix again:

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Make sure you have shut down all protection software (antivirus, antispyware, firewall...etc) programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text inside of the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
      If it asks you to overide the previous file with the same name, click YES.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:
    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

    Please attach the new C:\MGlogs.zip file to your next reply.

    How is your machine running now?

    dr.m
     
    dr.moriarty, Oct 29, 2010
    #7
  8. Wolf13

    Wolf13 Private E-2

    Sorry I didn't mean to hinder you in any way, I'll let it be until everything is finished.

    So should I try reinstalling Internet Explorer 8 once everything else is done?

    See the attached logs.

    I thought that it was running fine before your last post so I'm really no help in that respect sorry.

    Again thanks for all the help.
     
    Wolf13, Oct 30, 2010
    #8
  9. Wolf13

    Wolf13 Private E-2

    Sorry, forgot to attach them -_-
     

    Attached Files:

    Wolf13, Oct 30, 2010
    #9
  10. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    No harm - no foul... this time. ;)

    re: In the beginning of the READ & RUN ME FIRST. Malware Removal Guide it's stated:
    *We have all had to deal with the additional problems resulting from malware corrupting and breaking attempted software installs during malware removal - hence the above instructions. Once we have completed the cleaning, you are free to install whatever you wish.

    Yes - I'll provide a link or two for the steps in my final post, if you'd like.

    *These don't belong on your desktop - move them to your downloads folder:
    C:\Documents and Settings\Admin\Desktop\a2AntiMalwareSetup.exe
    C:\Documents and Settings\Admin\Desktop\IE8-WindowsXP-x86-ENU.exe

    Step 1:
    Since you've deleted the cracked software, let's get rid of a remaining service from Alcohol 120.
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to StarWindServiceAE
    • Then right-click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    • Next, run C:\MGtools\analyse.exe, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy & paste StarWindServiceAE
      into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now exit HJT

    Step 2:
    Using ComboFix... again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Make sure you have shut down all protection software (antivirus, antispyware, firewall...etc) programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text inside of the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\Program Files\Alcohol Soft

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|	–Ôw*]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
      If it asks you to overide the previous file with the same name, click YES.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:
    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Step 3:
    Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

    Step4 :
    Re-boot your PC

    Step 5:
    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

    Please attach the new C:\MGlogs.zip file to your next reply.

    dr.m
     
    dr.moriarty, Oct 30, 2010
    #10
  11. Wolf13

    Wolf13 Private E-2

    Hey if you're still online dr moriarty I'm in need of a bit of help.

    I'm on the combofix stage of your previous instructions and nothing has happened for 20 minutes.

    A DOS window is up with the following on screen.

    Rebooting Windows...Please wait
    2. was unexpected at this time.

    I'm a bit nervous using combofix so I'd like a bit of guidance on this issue please.

    I'll post my logs after I have completed all the steps.
     
    Wolf13, Oct 31, 2010
    #11
  12. Wolf13

    Wolf13 Private E-2

    Haven't figured out how to edit posts yet so sorry for the double up.

    I waited two hours and eventually just pressed the power button to turn off the computer; combofix was trying to shut down the computer anyway so I figured it would be ok.

    Apart from the hitch with combofix everything else went smoothly, see the logs below.
     

    Attached Files:

    Wolf13, Oct 31, 2010
    #12
  13. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hi, Wolf13

    After getting info that that locked registry key is probably not a problem, eset didn't flag it - I'll :neener at it and give our final instructions:

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to Add/Remove programs (Programs and Features if using Vista or Windows 7) and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
    Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif
     
    dr.moriarty, Nov 2, 2010
    #13
  14. Wolf13

    Wolf13 Private E-2

    Thanks very much for all of your help :)

    EDIT: Ah just one last thing - I entered the combofix uninstall into the run box. It seemed to run through a scan again and gave me a log file after rebooting. When I pulled the run box up again it showed me what I typed and I had put as follows:
    "%userprofile%\Desktop\combofix" \uninstall

    Does it matter that the final slash was a backslash and not a forward slash as indicated? I ran the uninstall again with the correct forward slash anyway and either way it seems to me that the combofix.exe on my desktop should have been deleted but this was not the case. I then manually deleted combofix.exe.

    I'd just like to say again how thankful I am for your help :)
     
    Last edited: Nov 2, 2010
    Wolf13, Nov 2, 2010
    #14
  15. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    :)

    The forward slash is correct, and running the MGclean.bat file should have finished the cleanup.

    You're very welcome! I'm glad I was able to help you, Wolf13.

    dr.m
     
    dr.moriarty, Nov 2, 2010
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds