Did R&RF. First 3 logs attch'd. Is t clean now?

Discussion in 'Malware Help (A Specialist Will Reply)' started by NoGeekMe, Feb 22, 2009.

  1. NoGeekMe

    NoGeekMe Private E-2

    Cleaning a friend's PC. He's been running without an AV prog and just XP firewall.

    Last week removed XP Police infection for him. Task manager was accessible again, but at some point afterwards access to it was blocked again. Yesterday I found a suggested fix in an MS knowledge base article, editing the registry, but that didn't fix it.

    Ran R&RMF.

    ComboFix - - I couldn't install Recovery Console, tried manually several times and it didn't take. Also, CB did a re-boot between AutoScan and Find3M (step 41 and next screen). Did it run correctly?

    Things are improved. Task manager is accessible again. I don't know what else might have been wrong with his computer, the whole thing was sluggish and it's a little better now. (I still need to reduce the number of programs that load at start up.)

    There are uglies in system restore, don't want to delete the restore points without an okee dokee from you guys.

    Also, for a free firewall for someone who's intimidated by his computer, which do you think is easier, Comodo or ZA?

    Many, many thanks for your help!
     

    Attached Files:

  2. NoGeekMe

    NoGeekMe Private E-2

    MG logs attach'd.

    Here're the MG logs. Thanks again!
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix again. Shut down your antivirus program before continuing.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!

    All firewalls require you to be at least a little bit of a System Admin. Comodo and ZA could be too much of a resource hog for your friend. You may want to look at How to Protect yourself from malware! and possibly think of using PC Tools or Jetico Personal.
     
  4. NoGeekMe

    NoGeekMe Private E-2

    Thanks so much.

    I followed your directions and the logs are attached.

    ComboFix rebooted at the same spot it did before - - between AutoScan and Find3M. Normal?

    I think the computer is running a little smoother now. It's an old processor and doesn't have much RAM, so don't know how zippy it will get with current applications.

    So far noticed one thing - - after I did everything and started Firefox, got message stating Firefox isn't the default browser (so I opted to make it the default browser again). There was a browser issue a few days ago, IE was opening when I hit FireFox shortcuts on the desktop and I had to re-set FireFox as the default browser.

    So far only had a second to look at PC Tools and Jetico Personal. Thank you for the recommendations. Does PC Tools have a firewall, or just Jetico?

    Thank you for your help, my friend is very appreciative!
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your logs are clean.

    You will always have slow performance since your processor is slow and you don't have enough RAM. You need at least twice what you have. Your logs show:
    Total Physical Memory 560.00 MB
    Available Physical Memory 99.86 MB


    Having only 99.86 MB free is a major problem. And once you add a firewall, less will be available.

    See the link I gave you. I was referring to PC Tools firewall, not their antivirus since you already have an antivirus.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
  6. NoGeekMe

    NoGeekMe Private E-2

    Thank you!

    Yes, it's old and has meager RAM. When I offered to help my friend out with it, that was the first thing I told him.

    Thanks for the help, you guys are great!!!
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds