Cannot remove malware/spyware

Welcome to Major Geeks!

Are you sure that you really tried to run MGtools.exe? It does not require a windows installation. It just runs. Did you try renaming the other installer programs as suggested in the instructions? Did you try running things in safe boot mode too? Have you tried physically unplugging your cable to the internet while trying to do all of these steps?

Keep the following in mind. If you cannot run anything and cannot get us any logs, we cannot help you. Thus your next step is to reinstall.

 

No you did not attach the logs. You attach a snapshot of a HijackThis log which is not what we need and it is only one of many logs from running MGtools. Please attach the log file that are requested not snapshots of logs. The log from MGtools is C:\MGlogs.zip as specified in the instructions.

 

The log file is C:\MGlogs.zip not MGtools.zip (or perhaps you are looking at MGtools.exe which is the installer program you downloaded from us).

We need the MGlogs.zip file which contains 9 text logs for us to even try and get started. All you attached was a scan of 1 file and a scan is of no use to us. We need the actual text logs that are in the ZIP file to create fixes.

Just copying this ZIP file to the other PC should not be a problem. By what method are you going to transfer it. Are your PCs connected via file sharing or are you referring to using a flash drive, CD or floppy?


When you tried to run SUPERAntiSpyware, ComboFix and Malwarebytes, exactly what happens?

• were you able to download them okay?
• were you able to install them okay?
• when you try to run them after installing what happened?

 

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

• Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
• Then search for TDSSserv.sys
• Let me know if you find this or not.
• If you do find it, right click on it, and select “Disable”. Do not try to uninstall it.
• Also if this is found and you disable it, then reboot and see if you can run the other scans that would not run.

 

Is this the only current problem? Attach the log from Spybot so I can see exactly what it is finding and where.

Also do the below.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below software:
Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O1 - Hosts: # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)


After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Nita McLeroy\Local Settings\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Spybot logs are normally stored in the below folder:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs

You can also run a new scan and when it finishes, just right click in the scan results window and save a log where ever you wish.

 

Your welcome.

All Spybot is reporting is a leftover folder from a rogue program you had installed at one time. All you have to do is delete the below folder yourself:

C:\Documents and Settings\Nita McLeroy\Application Data\SpywareStop\

If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome ( and thanks ) Surf safely!

 

You're welcome. I recommend that you not save attachments to your Desktop. Create a folder somewhere else and save them there for scanning. Once scanned and if they are clean, move them to whereever you want to save them (not your Desktop).

 

Would not be my preference since most downloads are not "documents". They are programs. But whatever works for you to manage things in the end. It's always your choice. However here is what I always do. I create a Downloads folder, like

C:\Downloads

Under this folder I create categories of subfolders, like:

C:\Downloads\AntiVirus
C:\Downloads\AntiSpyware
C:\Browsers
..... etc

And under those folders there are more category subfolders to contain the specific downloads. Like

C:\Downloads\AntiVirus\AVG
C:\Downloads\AntiVirus\Avast
C:\Downloads\AntiVirus\McAfee

And under them may even be more specifc folders like:

C:\Downloads\AntiVirus\AVG\AVG AntiVirus Free Edition 8.0 Build 175a1382
C:\Downloads\AntiVirus\AVG\AVG Anti-Virus Update December 15, 2008
C:\Downloads\AntiVirus\AVG\AVG Internet Security 8.0.93.1283

I think you get the point of the above. At any given point in time, I can always tell exactly what I have downloaded because the folder names (like a file cabinet) tell me exactly what I have. Even after months without looking at some file, I know exactly what is is because of where it is located. Example, if I had simply download and save WDC3Setup.exe to My Documents and then a few weeks or months later see it. I would be wondering, what the heck is this..... is it safe to run it to find out what it is??? However by my method, it is not saved to My Documents, it is saved like this:

C:\Downloads\Drive-Cleaners\Wise Disk Cleaner 3.7.4\WDC3Setup.exe

That is rather self-explanatory on what it is.