Given a PC, IE Homepage was Netspry, plenty of malware...

shotgunsnthehall · Aug 28, 2008

This PC was given to me and it seemed to run alright, but when I hooked it up to the internet I was suspicious(mostly due to the Netspry perpetual homepage trick), so I began to clean it up. Now, my efforts lead me here and attached are my logs. Hopefully it's not too messy.

shotgunsnthehall · Aug 28, 2008

.........

[EDIT NOTE]

emachines, running Windows XP Home SP3, McAfee Security Center(Actually Blue-screened me when I first tried to scan with it)

TimW · Aug 29, 2008

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.netspry.com
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
Click to expand...

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"98D0CE0C16B1"=-
Click to expand...

Now use windows explorer to find and delete:
C:\fa2a1953baa10733108068

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\%username%\Local Settings\Temp

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

shotgunsnthehall · Aug 29, 2008

Certain Temp files refused to be deleted-said they were in use by another program...

I'm running Windows XP Home and McAfee Security Center, but the latter has no option to just kill it from the taskbar...I have to open the program and manually turn off my protection, however I think it may still be in the memory banks running something, but what? Should I kill any McAfee processes through task manager before I continue with the clean-up?

TimW · Aug 29, 2008

If you have disabled it from the program, go ahead and do the fix. I doubt that it will block it from working.

shotgunsnthehall · Aug 31, 2008

Bump....Still awaiting further diagnosis of my Second MGlog.zip

TimW · Aug 31, 2008

Sorry for the delay (weekend, etc.)

Your logs look clean.

If you are not having any other malware problems, it is time to do our final steps:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.

If we used Pocket Killbox during your cleanup, do the below

* Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combo-fix folder from combofix.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

shotgunsnthehall · Sep 8, 2008

Hey thanks for all the help. The PC seems to be running much better now. I decided on keeping HJT, along with SAS, MalwareBytes, and Spybot...I appreciate all the professional level help and just wanted to borrow your expertise one last time to look over one last log. The log was made through HJT, thanks in advance, I will refer everyone I know experiencing trouble to your site!

TimW · Sep 8, 2008

If you want to keep HJT, then you need to install it properly. You have it as:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

You need to change it to:
C:\Program Files\Trend Micro\HijackThis\Analyse.exe

Are you having problems?

shotgunsnthehall · Sep 8, 2008

I'm guessing I just needed to rename HJT, so I did and the re-ran. The new log will be attached.

I'm not actually having problems with the machine. No obvious crashes or spy-ware indicative symptoms, although what strikes me as odd(and leaves me paranoid)is that certain malicious software removal apps(like Spybot, SAS, etc..)will only spot some, not all, spyware. Perhaps I would feel better if that were explained to me. How is it that one scanner will not recognize what another scanner can and vice-versa?

TimW · Sep 9, 2008

All scanners are dependant on the program developers. Meaning, that as malware surfaces, the companies need to respond to them with what you experience as an update. Some respond faster than others.....so you need to be aware that NO program is 100% effective. That is why we suggest that you work thru the below link:

How to Protect yourself from malware!

And unless you know what you are doing with HJT, I would suggest that you remove it. It is not a malware removal program.

Log in or Sign up

Given a PC, IE Homepage was Netspry, plenty of malware...

shotgunsnthehall Private E-2

Attached Files:

SASlog.txt

MGlogs.zip

mblog.txt

shotgunsnthehall Private E-2

Attached Files:

ComboFix.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

shotgunsnthehall Private E-2

Attached Files:

MGlogs2.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

shotgunsnthehall Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

shotgunsnthehall Private E-2

Attached Files:

LastLogHJT.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

shotgunsnthehall Private E-2

Attached Files:

LastLogHJT2.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member