Euh. Malware.

Discussion in 'Malware Help (A Specialist Will Reply)' started by Silent Potato, Apr 24, 2009.

  1. Silent Potato

    Silent Potato Private E-2

    First off, I'd like to thank MajorGeeks for all of the useful help and information.

    Awesome site great job!

    So here's the deal:

    After having been on a weekend camping trip, i returned home on the 19th of this month to find that my computer had become host to a significant amount of malware. Among the malware were trojans, adware, and spyware. Using ESET NOD32 AV v.2 I scanned, scanned, and scanned day after day trying to eradicate these sickly bugs.

    On the 21st of this month, I turned on my computer and scanned only to find that it had contracted Win32/Virut.NBP . It had infected roughly 20 .exe files and showed no signs of stopping before I decided to do a full-system restore late last night/early this morning. I decided to do this before a virus worse than virut was downloaded, and before things got too out-of-hand.

    The system restore was completed last night, and after sleeping I began updating Windows and installing ESET Smart Security 4. After scanning with SS, I found that the system restore had not solved my problems, as virut had survived and attached itself to 2 different files in the D drive. These 2 files have been quarantined by SS:

    D:\System Volume Information\_restore{do you need the entire file name?}.exe
    D:\Info.exe

    I found this site, and followed the handy read/run me first guide which lead me here. None of the 4 malware removal programs found anything, and the logs will be attached to the end of this post. Let me know what additional information is needed, and I'll be more than happy to provide.



    Thanks, again.
     

    Attached Files:

    Silent Potato, Apr 24, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    To remove the infections that remain in System Restore folders, you must disable-enable (toggle) System Restore. My instructions below will include this in final steps since you appear to be in pretty good shape now.


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below software:
    J2SE Runtime Environment 5.0 Update 2
    Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

    Now delete the below leftover folders from McAfee and Symantec:
    c:\windows\system32\config\systemprofile\Application Data\McAfee
    c:\documents and settings\All Users\Application Data\McAfee
    c:\documents and settings\Administrator\Application Data\McAfee
    c:\documents and settings\All Users\Application Data\McAfee.com
    c:\windows\system32\config\systemprofile\Application Data\Symantec
    c:\documents and settings\All Users\Application Data\Symantec


    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner to clean out only temp files and nothing else!



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Apr 28, 2009
    #2
  3. Silent Potato

    Silent Potato Private E-2

    So awesome! Thank you so much, your effort and help is appreciated immensely! My scan came up clean, feels good man. A few things...

    I have just gone through and completed the "How to Protect Yourself from Malware" section which went well, but brought up just a couple of questions:

    1. You mentioned running Ccleaner only to remove temp files. Should this be the only procedure I execute with cleaners like this?

    2. My PC is not horribly old (in human years, that is), though when I tried to uninstall Java, I received this error message: "Error: could not locate INF file java.inf". I'm assuming this means that I already have Sun Java installed, but I thought I would check with you just to make sure.

    Also, another question related to malware: what exactly happens to a file that is 'quarantined' by an AV program?

    Note: the addition to the registry was successful.

    Again, again, and again, thank you. I will surely be referring people to this extremely helpful website!
     
    Silent Potato, Apr 28, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Yes! We don't like people to use the registry cleaners since they can frequently get themselves into trouble by just blindly removing everything that shows up. It is also rarely necessary to clean the registry and does not really improve performance like some tools will imply. At least not to any noticeable amount. The possible dangers outweigh any benefit.

    You did not have the old MS Java installed. You already have Sun Java.

    It is just put into a holding cell where it is no longer active. You need to empty your quarantine after you are sure it was not a false detection.
     
    chaslang, May 2, 2009
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds