Cleaned up malware using instructions but a few errors persist

Discussion in 'Malware Help (A Specialist Will Reply)' started by noavatars, Mar 1, 2009.

  1. noavatars

    noavatars Private E-2

    I was searing for an SNL video online and at some point I apparently clicked on something bad, because I got one of those bogus "spyware removal" icons in my tray.

    I went through the spyware removal instructions you posted and it's running better, but a few errors persist:

    My McAfee VirusScan pops up every once in a while complaining about files called A0021257.dll and A0021258.dll. Also I get a really annoying application error for wmiprvse.exe. I can click "Ok" to close, "cancel" to debug or just close the error message. Whatever I do, the message pops up repeatedly until I just have to hide it at the bottom of the screen. If I close all the windows that are open, I can sometimes make this go away. Other than that, no symptoms.

    Posting logs, thanks in advance...
     

    Attached Files:

    noavatars, Mar 1, 2009
    #1
  2. noavatars

    noavatars Private E-2

    Posting the 4th file
     

    Attached Files:

    noavatars, Mar 1, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Who or what is puttingt the below folders in the system32 folder?
    Code:
    "C:\WINDOWS\system32\"
CATALE~1      Jan 22 2009              "catalentPROD"
DUFFAN~1      Nov 17 2008              "duffandphelpsPROD"
JABIL         Dec 23 2008              "jabil"
LAUREA~1      Nov 18 2008              "laureatePROD"
NOVONO~1      Jan  6 2009              "novonordisk"
PSIPROD       Dec 18 2008              "psiPROD"
RLIPROD       Nov 17 2008              "rliPROD"
THEGLO~1      Dec 17 2008              "theglobalfundPROD"
UIPROD        Dec  4 2008              "uiPROD"
    I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

    Run this Disable/Remove Windows Messenger
    to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same.
    Windows Messenger is a frequent cause of popups.

    Uninstall the below software:
    Java(TM) 6 Update 5
    Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right
    click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following
    lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are
    reading in right now:

    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\dgarofalo\Application Data\Macromedia\Common\005380161.dll""
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\e980072e-4246-47ae-a515-6aa96f750d02.exe
    O4 - HKUS\S-1-5-18\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\005380161.dll"" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\005380161.dll"" (User 'Default user')

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in
      the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from:
    Sun Java Runtime Environment


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if
    using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 3, 2009
    #3
  4. noavatars

    noavatars Private E-2

    Thanks for the reminder on the desktop. I do get lazy at times and use it for storage when I shouldn't. I cleaned it up and left only the required files.

    Those system32 files are logfiles created by Softscape, my employer. I am a product specialist and run instances of the product on my laptop from time to time.

    I ran that disable windows messenger thing but the system didn't come back with any kind of message saying it was done or anything. I didn't choose the option to uninstall it because the instructions didn't say to do so. After I did the removal I still continued to get WMI errors. Don't know if they were supposed to stop or not.

    My software needs that specific version of Java and is not necessarily compatible with later versions. Is it possible for us to leave it in place until we're totally out of options?

    I uninstalled the viewpoint media player. Must have missed that on the read & run, sorry.

    Next I ran the MGtools analyze and it finished normally.

    Next I tried that combofix thing and it hung for 8 minutes before getting to the "agree to terms" page. Then it backed up the registry and began the scan. After hanging for an hour and a half, I killed it. I don't think it's supposed to take that long (I was very careful not to click my mouse or do anything while it was working). No log was generated.

    Finally, ran the mgtools.exe and it completed normally. Log attached.
     

    Attached Files:

    Last edited by a moderator: Mar 4, 2009
    noavatars, Mar 3, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    My instructions said to remove it not disable it. ;)


    Did you select all the lines and then click Fix checked? It does not look like it. Try again.

    You must make sure you shutdown McAfee. It is getting in the way. If you cannot get ComboFix to run in normal boot mode, try safe boot mode. Otherwise you may have to uninstall McAfee inorder to run the fix. McAfee is obviously not helping you anyway since it did not stop this infection nor is it doing anything to remove it. It is only getting in the way of being able to remove it.

    After repeating all the steps in my last fix from analyse.exe thru to the end. Attach the new logs.
     
    chaslang, Mar 5, 2009
    #5
  6. noavatars

    noavatars Private E-2

    A number of updates for you:

    1. I found out how to disable McAfee. I just ran msconfig and took it off the startup list, and that did the trick. Combofix still hung, but it did run successfully in safe mode.
    2. I REMOVED the windows messenger per your instructions.
    3. I bit the bullet and deinstalled Java as you instructed. I also reinstalled it as you instructed and it's working fine.
    4. Regarding the MGTools files, I did "fix" the files you specified on the first go-around a few days ago. When I ran it again, I found similar, but not exact, entries on the log. Please let me know if further items should be addressed.

    I am attaching the updated logs. Please let me know what else I should do.

    PC seems to be running better now. I saw one error when rebooting, but it closed before I could copy it down. I'll take a screenshot if I see it again.
     

    Attached Files:

    noavatars, Mar 6, 2009
    #6
  7. noavatars

    noavatars Private E-2

    Another update for you: I got the error again and took a screenshot of it. The screenshot is attached.
     

    Attached Files:

    noavatars, Mar 7, 2009
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean.

    What McAfee is finding is only in System Restore and my final instructions will cleanup restore points.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Mar 10, 2009
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds