Are we clean, yet?

Hi,
I have been having major problems with the computer running extremely slowly. As well, using Windows task amanger to keep an eye on things, I noticed that things would run...then "not respond" then run...and so on. CPU usage was at 100% when things got really bad.

The problems seemed to clear up for most of the day yesterday, then reappeared last night in the form of completely "freezing" the computer--nothing could be clicked in any way.

Fortunately, things loosened up a bit today--enough to run diagnostics. SAS found some adware and removed it--things went really well once that was gone.

Nonetheless, I cannot tell if everything is gone.

Here are my logs. I could not figure out how to extract root repeal in order to run it.

Thanks so much!

 

Hi,

I'm reviewing your logs. Please be patient as there a lot of information to review

 

I'm not seeing any malware in your logs so far. We can do some things to cleanup and use another program to check for malware.

From Add/Remove Programs (via Control Panel), please uninstall the following:

• Java(TM) 6 Update 25 <-- old
• SUPERAntiSpyware <-- was not installed properly

Please download Disable/Remove Windows Messenger to your Desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

1. Double-click MessengerDisable.exe
2. Place a check-mark in Uninstall Windows Messenger
3. Click Apply
4. Click Exit

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Please also download MBRCheck to your Desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

Now download and install Sun Java Runtime Environment 7
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

Now run C:\MGtools\GetLogs.bat by double-clicking on it (Vista and Win7 right click and select Run as Administrator)

This will automatically update all the logs in MGlogs.zip!
Make sure you click Accept on the License Agreement from HiJackThis!/analyse.exe twice (yes twice) if prompted.

Then attach C:\MGlogs.zip to your next message (How to attach items to your post)

 

HI!
Thanks for looking over those files. Sorry they were so big!

I've run through the steps you suggested. I had a bit of difficulty with trying to remove Super Anti-spyware, though. I used add/remove programs. During the uninstall, the computer opened a window in IE. It never "fully" opened--that is-- icons appeared across the top--all the toolbars showed up: but the screen below them was blank and stayed that way.

I became concerned. After about 5 minutes I tried to close add/remove programs. I could not. I could not even click it into the tray at the bottom. I checked Windows task manager and Add/remove programs did not show up--nor did IE. I decided to bailout, so I successfully restarted the computer using the task manager--and when I went and checked add/remove programs, SAS was not there. I don't know if it gone or not, though. There is still an icon on my desktop called SUPERantispywarefree.exe.

The fixme file worked well, thank you! I received a message it was successful.

Here are the other logs you've requested.

Thank you so much!

 

You uninstalled it correctly. Also, it is normal for SUPERAntiSpyware to launch an IE window after you uninstall it. It's only letting you know that it was uninstalled and I believe they present you with a survey of why you uninstalled it, etc...

I noticed you downloaded Sun Java Runtime Environment 7

It is on your Desktop, but it doesn't look like it has been installed. Did you have any trouble with installing it? If you haven't run the installer yet, please do so now and then proceed with the next step. If you are having trouble with installing Java, let me know what error message you are getting from it in your next post, but continue with the below steps regardless:

Now we need to use ComboFix

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named C:\ComboFix.txt
• Attach this log to your next message. (How to attach items to your post)

Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

If after running ComboFix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run C:\MGtools\GetLogs.bat by double-clicking on it (Vista and Win7 right click and select Run as Administrator)

This will automatically update all the logs in MGlogs.zip!
Make sure you click Accept on the License Agreement from HiJackThis!/analyse.exe twice (yes twice) if prompted.

Then attach C:\MGlogs.zip to your next message (How to attach items to your post)

**** Let me know how the PC is running after you've completed these steps ****

 

Hi!

Good to know. Appreciate it.

My duh. Sorry. I just forgot. It is installed now.

I am fairly sure I "inserted" the notepad details into the combofix program. I hope I did. I got a message (as I did the first time I ran it) that I do not have the "Windows Recovery Console" or some such thing. Combofix said it would install it for me--but didn't--even after I opened Firefox in order to give it the internet connection it wanted.

Is this an issue?

It seems to be running beautifully. Files and documents are opening quickly. It's like having a whole new beast. Thank you.

Here are the logs you requested. Is it time to go for a beer (or non-alcoholic beverage of choice) and celebrate yet?

 

No.

You're welcome. Go have that beer and celebrate Latest logs are clean

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Hooray!

:clap::clap::clap::clap::clap:
I wish I could buy you a beer, too (or a nonalcoholic beverage of choice.) You did all the work, really. Thanks so much for doing this. I--and many like me--would be so lost without you!