Dear Mr. Chas, When u have a moment please....

Discussion in 'Malware Help (A Specialist Will Reply)' started by AlwaysInfected, Mar 27, 2008.

  1. AlwaysInfected

    AlwaysInfected Private First Class

    My cousin got a used computer from someone.. which really wasnt in bad condition from what what i saw besides a few minor issues. Some spyware, she also has this error message that loads on windowsStartup that if i remember correctly its something along the lines of "Softwrap error"

    Heres my Main reason for this post. She uses MSN messenger which i personally don´t condone or like n she recieved one of those infamous messages from a friend saying... "Click here to view so n so`s pictures.." she clicked it n I dunno to what extent she proceeded with it but apparently AVG detected some issues so im sure there is more to it....

    Anyhow I thought a CHAS review would be appriate anyhow in regards to this matter and as a general precaution andf overview!

    When u get a minute, I have these logs here for you...

    (I had to get her MS FrameWorks as MgTools wouldn´t deflate entirely but that was resolved quickly...)

    Also I dont have a Spyware S&D because when it finished it didnt detect anything.

    Everything else is here..


    SideNote: What happened with ComboFix? what made u decide to substitute it? Are u updating n working on it or did u retire it?

    Thanks n Godbless,
     

    Attached Files:

    AlwaysInfected, Mar 27, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure what you mean. We don't need MS .NET Framework for the tools to extract. The processdll.exe procedure that the scripts call to create one of the logs does need it though.

    Possible major issue related to certain malware or PCs were starting to occur. The results could be a totally unbootable PC. Thus until this is all worked out, we have pulled it from the procedure to be safe. Only some people had problems. Many people were still running it without a problem. We error on the side of being safe for everyone. ;)

    The MGlogs.zip file is incomplete. After doing the below fix, be sure to follow my instructions for getting a new log and watching for error messages.


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below software:
    Messenger Plus! Live & Sponsor (CiD) <-- should have been uninstalled in step 1 of the READ ME. This is the cause of some of the malware.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [Piolet] C:\Programas\Piolet\Piolet.exe SILENT
    O4 - HKLM\..\Run: [GlobalFlagimglog] C:\WINDOWS\system32\imglog.exe
    O4 - HKLM\..\Run: [msne] C:\WINDOWS\system32\msne.exe
    O4 - HKLM\..\Run: [msmsn] C:\WINDOWS\system32\msmsn.exe
    O4 - HKLM\..\Run: [msshell] C:\WINDOWS\system32\msshell.exe
    O4 - HKCU\..\Run: [star1] C:\WINDOWS\system32\Winrun.exe
    O4 - HKCU\..\Run: [star2] C:\WINDOWS\system32\ischot.exe
    O4 - HKCU\..\Run: [star3] C:\WINDOWS\system32\Xred1.exe
    O4 - HKCU\..\Run: [star4] C:\WINDOWS\system32\Zred2.exe
    O4 - HKCU\..\Run: [star5] C:\WINDOWS\system32\Mscheldork.exe
    O4 - HKCU\..\Run: [star6] C:\WINDOWS\system32\MscheldB.exe
    O4 - HKCU\..\Run: [star7] C:\WINDOWS\system32\Mscheldncx.exe
    O4 - HKCU\..\Run: [star8] C:\WINDOWS\system32\svscheld.exe
    O4 - HKCU\..\Run: [explorer] C:\WINDOWS\system32\process.exe
    After clicking Fix, exit HJT.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now run Ccleaner!


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    While GetLogs.bat is running, watch for eror messages like the ones mentioned on the Using MGtools download page. You could be getting some of those errors which could explain the missing logs. Also make sure you allow it to run until it is finished.


    Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
    chaslang, Mar 28, 2008
    #2
  3. AlwaysInfected

    AlwaysInfected Private First Class

    Thanks man... What i meant with Frameworks was that Mgtools finished immaturely with error number 4. didn't finish the deflation or complete the process till i installed MS Frameworks... :p

    Thanks alot for taking the time out as usual. I go back to my cousins house this weekend as its her daughters birthday, she will be 2:)

    I will finish the cleaning process then n let u know how all is afterwards.

    Thanks much for looking out!

    GodBless,
     
    AlwaysInfected, Mar 28, 2008
    #3
  4. AlwaysInfected

    AlwaysInfected Private First Class

    Wow im having a crisis. N because my cousin is spoiled n has not patience. Shes calling my house saying she has no internet access. Saying she can't sign on. I asked her if she can get on windows n she said yes. I said when i get to your house tomm. Ill do the final steps n remove all the malware...

    She then calls me 20 minutes later.. Screaming n yelling saying why did u mess with my computer knowing i wasnt gonna be able to go online... I was like...WOW :confused

    I hate when impatient spoiled people who have had the net for the first 2 weeks of their lives come n tell me about what i did n how the internet n much less a virus works....rolleyes

    Apparently the net is her life line n all she does is go on her HI5 n use MSNMessenger.... aaaaaalllllllllll day...

    I got to her house n uninstalled Daemon tools (Cd Burning App) that had been intsalled recently... According to her she "didn't download it" along with "U Torrent" n something else that was in her FireFox Downloads Box.....rolleyes

    So my Question now Chas, How do i go about getting "Avenger" at her house to finish the final process when I wont be able to get online? Everything else is on there from the apps i used in yesterdays scans....

    I also fear that because she is spoiled n ignorant she wont make it through the day n bring it to a tech who will have no idea what MGtools is as also all her Hidden files are in Visible status....

    Put it like this.. I had told her prior to getting online.. "Your brother has Cable modem, When u get setup to get online let me know as you do not! need another online account. You just need to get a Lan Modem..."

    Well she couldn't remember what i said or to call me n was in such a rush that she went n got another modem n even then still had to wait a day or 2 to get online due to technical issues.....

    *SMH* I can't deal with people like her.... I mean she had a life before a computer. It's sickly disrturbing how people with addictive personalities react when they can't get what they want...

    Anyhow im wondering what i can do if all goes well n i can get there before she does something stupid. I can handwrite all the malware logs to clean with HiJack but i don't know how im gonna put Avenger on her PC without having online access as i don't have a USb thingy...
     
    AlwaysInfected, Mar 28, 2008
    #4
  5. AlwaysInfected

    AlwaysInfected Private First Class

    heres the last Mgtoolsscan after the removal of all the stuff u said to remove with HJ n avenger...

    The startup is alot cleaner n runs a bit quicker.... also the softwrap error that initiated on startup is also gone...

    let me know how this log looks
    Much appreciated...
     

    Attached Files:

    AlwaysInfected, Mar 28, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot to attach the requested log from Avenger. However your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
    9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    12. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    13. After doing the above, you should work thru the below link:
     
    chaslang, Mar 29, 2008
    #6
  7. AlwaysInfected

    AlwaysInfected Private First Class

    Well Mr. Chas you have done it again! I have faith in your work like the lord himself...:D

    Anyhow her system is running like new, as expected! You always do superb work n for this I am always extremely thankful...

    As i noted before she is highly selfish n beligerant almost Narcisitic! I sent u the original logs on thursday n she yelled n screamed at me all day friday trying to force me to come down when it was not necessary since i had to go down saturday anyhow and it was not a good day for me to go so far to do something that could clearly wait for the next day.

    So anyhow she calls me later in the night still mad stil crying about the necessity of being able to get on MSN messenger n this n that so my blood was literally boiling, i took my moms car n jetted down there at about 11pm to run everything of your reply to my initial logs...
    I couldn't even get a Thank you for wasting my time n gas at that hour of the night to clean up her system just because she woulda died if she hadn't gotten on MSN Mess.

    Let me say this Chas, I did everything properly n restarted her pc 2wice to make sure all was running perfect n her MSN was crisp. After i explained to her how you recommended to stay away from Live Plus n I also concured n said that the risk is hers, we did our part n I made sure she saw the results n agreed. she deliberately said she didn't care n that she wanted the features that Plus enables... I reinstalled it at her request n responsibility only afteri gave u the final log above...

    I'll tell you what. From now on if she has any issues she can go find a technician on the island who will keep her pc for several days n probably not do things properly...

    Between the time I had gotten their at night she had already spoken to someone about how her PC was n they answer they gave her (Which I wasn't surprised was to REFORMAT...:Drolleyes

    I said thats what uninformed lazy people do for a quick buck. Next time u can spend ya money n do what you want. She didn't how to value your service nor mine...

    I will never waste your time or mine on someone who doesn't appreciate or even listen too how to protect their system n reinstalls something that is a potential threat...
    As for me, After my initial Cleaning about 4-5 months ago and reading how to properly protect my system n what tools to use intogether. I havent had issues. The last issue was like 2 weeks ago when I decided to mess with MSN Mess n was unaware of the threats involving Live Plus. U then guided me through the matter n I was fine....

    Anyhow sir, Thanks for all your Superb n considerate work! It is more appreciated than you know! You are a savior!
    Stay Blessed!
    A-I,
     
    AlwaysInfected, Mar 30, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
     
    chaslang, Mar 30, 2008
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds