Computer sending out spam, have followed clean instructions but to no avail.

Discussion in 'Malware Help (A Specialist Will Reply)' started by barnabybabe, Jul 23, 2010.

  1. barnabybabe

    barnabybabe Private E-2

    Help!

    I ended up with malware virus over the weekend, AntiMalwareDoctor I think?? I had microsoft internet security, but that could not fix it, so in the end I downloaded Malwarebytes Anti Malware to treat and then removed Microsoft Internet Security and downloaded AVG.

    This seemed to get rid of it, however everytime I restarted my computer another trojan would be found by AVG. Everytime I restarted the same thing happened, so I removed AVG and downloaded Norton 360, thinking this would be able to help.

    I then started receiving email errors for lots of spam emails that I have never sent, but seem to be coming from my computer. I am unable to minimise box, and when I click to get rid of one box, another one appears (can send screenprint).

    I have followed the "READ & RUN ME FIRST" and it did seem to work at first, as pop ups stopped, but when connected to the internet, seemed to be getting a lot of alerts that someone was attacking my system and now the email error pop ups have started again.

    I have all the requirested logs but for some reason it won't let me attach to this message, I keep getting an error message... could I email them to someone instead?

    Please Please help?
     
    barnabybabe, Jul 23, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Jul 23, 2010
    #2
  3. barnabybabe

    barnabybabe Private E-2

    Getting the following message when try to upload...

    Connection Interrupted













    The document contains no data.







    The network link was interrupted while negotiating a connection. Please try again.
     
    barnabybabe, Jul 23, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Then try a different browser or transfer the logs to another computer to try from there. Without seeing your logs I obviously cannot help you. :( I'll be here waiting. :)
     
    Kestrel13!, Jul 24, 2010
    #4
  5. barnabybabe

    barnabybabe Private E-2

    Still not letting me upload from another internet browser, but did let me upload to googledocuments, so have made public via the links below, hope this works?

    https://docs.google.com/document/mobilebasic?id=1S4Ku-GsPB4wtFVg7abTkhA9Xd1i1JX0QSWg6ahwSvgQ

    https://docs.google.com/document/mobilebasic?id=1u0zXnVnMNjlThk4kUhc3OTHemG8ZN6z7sYfZGo9xryY

    https://docs.google.com/document/mobilebasic?id=1S_s3S5XVWlYANN2ppr55Fu72tKBbHk_w7mLk6EPPmKI

    https://docs.google.com/document/mobilebasic?id=1iLKVd7at0akPBUW215sRI0hiMnB7eqMKvcODs2doG8c

    https://docs.google.com/leaf?id=0B3dvPiFgI1cmYTZiMWZiNmMtMzhhOS00MjQwLThiMmUtN2I2OTAzZDM4OWM0&hl=en&authkey=CJT56bAJ
     
    Last edited: Jul 24, 2010
    barnabybabe, Jul 24, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Sorry, but it will not allow me to download it. Ensure that ALL the logs I need from you running the R&R are in the zipped file. Try uploading it to MediaFire and send me the sharing link.
     
    Kestrel13!, Jul 24, 2010
    #6
  7. barnabybabe

    barnabybabe Private E-2

    Had edited the post below, as you were replying, these should work, as they are not zipped?

    https://docs.google.com/document/mobilebasic?id=1S4Ku-GsPB4wtFVg7abTkhA9Xd1i1JX0QSWg6ahwSvgQ

    https://docs.google.com/document/mobilebasic?id=1u0zXnVnMNjlThk4kUhc3OTHemG8ZN6z7sYfZGo9xryY

    https://docs.google.com/document/mobilebasic?id=1S_s3S5XVWlYANN2ppr55Fu72tKBbHk_w7mLk6EPPmKI

    https://docs.google.com/document/mobilebasic?id=1iLKVd7at0akPBUW215sRI0hiMnB7eqMKvcODs2doG8c

    Will go work on the MGlogs Zip...
     
    barnabybabe, Jul 24, 2010
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK a little hard on the eye to read those logs but I got them. Are you able to upload a zipped file to Googledocs? If not then upload the C:\MGlogs.zip to MediaFire as I suggested.

    I see issues in those logs that need to be dealt with but I am due in at work in half an hour and it will be a 1am finish I should think. I have to get up for work early in the morning on Sunday so please be patient and I'll get back to you on Sunday night. Good luck with uploading the mglogs.zip :)
     
    Kestrel13!, Jul 24, 2010
    #8
  9. barnabybabe

    barnabybabe Private E-2

    Hello,

    Saved all mgtools logs on media fire here:

    http://www.mediafire.com/?sharekey=1778662f08448ca706ecf91ad728cf263e13d49b0dace914eb3c4f28bf42483b72d834c1c882127fef10f4be98718c28

    As other logs are hard for you to read, I will upload the other logs there too, then edit this post.

    No problem with regards being patient, am very grateful for the help and understand you have a life to get on with also. :)

    Other logs are here:

    http://www.mediafire.com/?sharekey=99c6c30ca9448066588f6c8f283c4c1b797dd672e9c63c99513026dd0f2c577f5ddb63533db24485fc095f3c67ae51ad

    Except the SAS log, which would not upload to media fire, but you will already have from google.
     
    barnabybabe, Jul 24, 2010
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
c:\windows\Cleyevori.bin
c:\windows\Ldaduji.dat
c:\windows\system32\drivers\ujaiqlk.sys

Folder::
c:\documents and settings\Anna Leech\Local Settings\Application Data\eoarhhegp

DirLook::
c:\documents and settings\Anna Leech\Local Settings\Application Data\{B345C7BB-0292-4274-8516-9A1320382B14}

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@DACL=(02 0000)
@SACL=
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
"TBOT"=dword:00000000
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Please also download MBRCheck to your desktop

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some data on it
    • Right click on the screen and select > Select All
    • Press Control+C
    • Open a notepad and press Control+V
    • now please copy that report to this thread
    Your logs were missing the newfiles log. Did you forget to upload that one or do you not have it at all? If so then please complete the below:

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

    Include links the new log from Combofix please too as well as the newfiles.log and the log from MBR Check but first see that you cannot attach it here normally before using mediafire again.

    Let me know how things are running currently.
     
    Kestrel13!, Jul 26, 2010
    #10
  11. barnabybabe

    barnabybabe Private E-2

    Hello,

    ComboFix Log is attached, however it would not let me attach newfiles.txt. So will add on media fire.

    Did not complete MBR step, as it came up with the following message and I wasn't sure what to do?

     

    Attached Files:

    barnabybabe, Jul 26, 2010
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do you have all important data backed up? You really should do this before continuing since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.

    Also note if you have a Dell PC which uses a non-standard MBR ( or another manufacturer's who does similar to Dell) , fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not continue but you risk serious problems leaving this infection in place and thus your only other option would be to try using the Dell Restore Utility to return a factory ship state which will remove everything you additional you have put onto the PC.


    Now if you wish to continue and fix the malware - please do the following:

    * Run MBRCheck.exe
    * Wait until you see the following lines:
    o Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    o Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.
    Enter your choice:

    * Please push the 'Y' key and then press Enter
    * When the program asks you to Enter your choice: enter 2 to Restore the MBR and press the Enter key
    * Now the program will ask you to "Enter the physical disk number to fix (0-99, -1 to cancel):"
    o Enter 0 and press the Enter key.
    * The program will show Available MBR codes as below

    * You need to select your version of Windows from the list. For example, enter 0 or 1 for XP or enter 3 for Vista.....etc. and then press Enter.
    * The program will prompt for confirmation. Type 'YES' and hit Enter.
    * Left click on the title bar (where program name and path is written). From menu chose Edit -> Select All
    * You will see all the text in the window get highlighted.
    * Hit the Enter key on your keyboard to copy all of the text into the clipboard.
    * Paste that text into Notepad, save it to your desktop as MBRfix.txt
    * Restart your PC.
    * Attach the MBRfix.txt file to your next message..

    Now please re-run MBRCheck.exe and attach that log also.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jul 26, 2010
    #12
  13. barnabybabe

    barnabybabe Private E-2

    Hello,

    Thanks for your reply, I have been trying to upload newfiles.txt to media fire, but it keeps failing and will not upload here either?? Any idea why this is, as I was just able to attach combo fix log to previous message.

    No, my computer is not currently backed up, it is not a dell but a hp hetbook. A silly question probably, but how do I go about backing it up?
     
    barnabybabe, Jul 26, 2010
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We dont want you to upload individual files from the C:\MGLogs.zip. Just attach the whole zip file.

    You may want to copy pictures, personal data and files to a cd.
     
    TimW, Jul 26, 2010
    #14
  15. barnabybabe

    barnabybabe Private E-2

    Thanks, that worked... Mglogs zip file is attached.

    Will back up my personal stuff and come back asap.
     

    Attached Files:

    barnabybabe, Jul 26, 2010
    #15
  16. barnabybabe

    barnabybabe Private E-2

    Logs attached as requested... computer seems to be running ok at the moment, though I have only just completed those tasks, so will monitor it and let you know how it is getting on...

    Thankyou
     

    Attached Files:

    barnabybabe, Jul 26, 2010
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. Let me know what other issues you may still be having. In regards to your email issue:

    Malware detected in email databases has to be cleaned up by you. You have a few choices:

    1. delete the whole file which is not an option you normally want to use
    2. load the email folder that contains the infection and delete ALL unnecessary emails (hoping to remove the problem email) and then use the Mailbox Cleanup option to delete all old emails. Then compact the Outlook database to permanently remove data. See http://support.microsoft.com/kb/196990 If you do not cleanup and compact the databases, the deleted emails may still be leaving hidden information in the database that you just cannot see but a scanner may still pickup on it.
    3. create a new folder and move only emails you really need into the new folder and then delete the infected folder.
     
    TimW, Jul 27, 2010
    #17
  18. barnabybabe

    barnabybabe Private E-2

    Hello,

    My computer seems to be working perfectly now, thank you, thank you, thank you :)

    With regards the email, they were not going out from my email, as far as I can see, I was just getting lots of email error messages from Norton to say the spam was not being delivered, as if being sent from my computer but do not know where they were orginating from???

    Also re norton, am having no alerts of people trying to get into computer anymore, when online, which I was having when other problems were going on, but do have lots of notifications on my security log whenever I am online...lots of blocking of TCP connections:

    Maybe this is normal?? but wanted to check, as only downloaded norton when problem started as thought it may help. Need to delete as can't afford to pay when trial runs out, and will then download a free anti virus (any reccomendations welcome), but wanted to check the above before I did in case it was unusual?
     
    barnabybabe, Jul 28, 2010
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can check through the How to Protect Yourself link for suggestions regarding freeware AV, AS and Firewall programs.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Support MajorGeeks!
     
    TimW, Jul 28, 2010
    #19
  20. barnabybabe

    barnabybabe Private E-2

    I have followed the steps below, and just working through the "how to protect from malware page"!!

    Thank you so much to yourself and Kestrel13! I was stressing about all this, and your time and help has been greatly appreciated.

    Bye bye xx
     
    barnabybabe, Jul 28, 2010
    #20
  21. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    From Tim and myself: You're most welcome. :)
     
    Kestrel13!, Jul 29, 2010
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds