God Someone Please Help Me

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by meep7, May 19, 2011.

  1. meep7

    meep7 Private E-2

    I work as a web content writer, and have gotten this virus. My work and everything is on my computer. I'm on my boyfriend's computer now, mine is locked up in so many different ways. I know exatcly how I got it. I am planning to dye my hair, and am interested in a light brown auburn red, and was looking for an 2 images, one of what I wanted and one of what I didn't. I wanted my red more light brown than Rihanna's hair, and was going to use a link to that image along with a another model's picture to ask color questions in the longhaircommunity forum. But the Rihanna picture automatically downloaded a virus to my computer. I don't think it was the forum because I've been there tons of times, but just in case it was there, I was on that site as well.

    As soon as I went to the Rihanna image from Google images, my McCaffee said that my system was comprimised and unprotected, and so did windows. But I think the windows thing was a dummy pop-up, and I might have accidentally clicked it, and that's how this started.

    Now it made IE my default search instead of mozilla. It won't open mozilla and says Google is posing a threat to my system security. Mcaffee shows no results. WHenever I try to run mozilla or malware bytes these fake windows security popups show up stating that it needs to run a scan, and that there's all types of trojans and other things on my computer.

    I have been careful not to click any of these, and have been shutting them down from control-alt-delete. When I do control-alt-delete on them, it says that my I am closing an unresponsive program called hfa.exe. I can't find anything online about it.

    This virus is awful, and I wasn't looking at anything pornographic, or malicious in any way, just general celebrity photos from Google's first page of image search results. It's an image of Rihanna with her hair up. I think she's wearing a white outfit, but I'm not sure. But God please be careful if you browse celebrity photos. Please somebody help me. I have a new baby, I can't miss time from working financially.

    I've already missed like 2 hours while he was napping. I don't know if this software is reading my information or what. I'm hoping it hasn't because the popups keep trying to get me to click on them to run a virus scan etc. So I'm hoping that there's a chance to fix and remove this still, and that it doesn't have access to any of my private files.

    The popups seem to come directly from my system try as well. They look like the windows security icons and they just sit there and multiply every few minutes.

    I have stopped the process of hfa.exe in the task manager, but it just comes back when I open a program. I looked for it in my startup manager thing but can't find it.

    Please somebody help me!!
     
    meep7, May 19, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!

    Please read ALL of this message including the notes before doing anything.

    Pleases follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.

    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:


    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this aother user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:

    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    TimW, May 19, 2011
    #2
  3. meep7

    meep7 Private E-2

    Okay Tim,

    Thank you so much for hopping on here. Now something happened. As I was going through the steps you asked of me, I was setting up my system for a Normal Start up, and it said something about system restore, or something. And I realized I had not tried that yet. So I stopped the steps and tried that. It allowed me to restore my system to yesterday. Now things seem to be fine. But you're an expert, so please tell me, am I completely out of the dark, or do you recommend I continue taking any further measures?
     
    meep7, May 19, 2011
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It's still possible that your restore point was infected and it's just a matter of time before it starts affecting your system again. What I would appreciate your doing is to run both SAS and MBAM on the system and also download MGtools and save it to your root folder. Which will be :
    C:\MGTools.exe. Run the exe and attach the C:\MGLogs.zip. Then I can tell if you are in fact clean. ;)
     
    TimW, May 19, 2011
    #4
  5. meep7

    meep7 Private E-2

    Okay. Thank you. Please tell me what are SAS and MBAM?
     
    meep7, May 19, 2011
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, May 19, 2011
    #6
  7. meep7

    meep7 Private E-2

    Okay. It asked me to agree to the terms of Hijack This, I hope that was part of it. I hope that is okay. I agreed to the terms. Here is the file. Hoping and praying there's nothing else on here. God Bless you for helping me and my little family. Thank you so much.
     

    Attached Files:

    meep7, May 19, 2011
    #7
  8. meep7

    meep7 Private E-2

    I'm not sure what you mean by run SAS and MBAM, can you please tell me how to run these programs, or what the abbreviations are short for? I can't figure it out.
     
    meep7, May 19, 2011
    #8
  9. meep7

    meep7 Private E-2

    I'm sorry I asked twice, when switching from my boyfriends pc to my netbook, I didn't realize I already asked. Running malwarebytes and Downloading and running sas now.
     
    meep7, May 19, 2011
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You had to click accept twice to get HJT to run.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 19, 2011
    #10
  11. meep7

    meep7 Private E-2

    Just to update you, Tim, the malware bytes and sas are still running. It seems like it might be taking awhile, so I want you to know that I am not gone. Please let me know if I should go ahead and follow the directions in your last post while they're running, or if I should wait until they're done.
     
    meep7, May 19, 2011
    #11
  12. meep7

    meep7 Private E-2

    scratch that. I see I have to disable antispware stuff to do it. Okay I will let you know when I'm starting the next step.
     
    meep7, May 19, 2011
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    They probably should not have been run at the same time, but hold off on my fix until they are finished. ;)

    You just need to disable your AV software.
     
    TimW, May 19, 2011
    #13
  14. meep7

    meep7 Private E-2

    Oh my goodness, they are still just going and going. I just want you to know that I'm still here. Please continue to hang on. I guess I just have a lot of stuff on my computer or something, or maybe this is common. Would stopping one, and then restarting it after the other finishes speed up the process since you said I probably shouldn't have run them at the same time?
     
    meep7, May 19, 2011
    #14
  15. meep7

    meep7 Private E-2

    Ok finally done. The SAS removed quite a bit, and the Malware bytes found one item. I am moving onto the next part. I will let you know when that is complete. Thank you for being patient.
     
    meep7, May 19, 2011
    #15
  16. meep7

    meep7 Private E-2

    I have mcafee. with the disabling of the anti virus and spyware, what parts of that program should I turn off specifically? I'm thinking firewall and real time scanning. Are there any more things that I should disable?
     
    meep7, May 19, 2011
    #16
  17. meep7

    meep7 Private E-2

    Just to make progress, I went ahead through the routine. I turned off real time scanning, and did not turn off the firewall. Since the only thing under viruses and malware on Mcafee Total Protection was real time scanning, I turned that off to run Avenger. I will go through the process again if need be. But I figured I should at least do something just in case this was all you needed to make your final analysis.

    I've attached the files that were generated. If I should run all of this again and cut additional sections of Mcafee off to do so, please let me know.

    I hope the reports indicate that things are good now. Please let me know what they say. And thank you for all of your help and patience so far. You might be asleep now. It is late. So hopefully I will be able to talk with you again tomorrow. I will remain online for awhile though to see if you turn up again tonight.
     

    Attached Files:

    meep7, May 19, 2011
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. Though you still need to clean out this folder:
    C:\Documents and Settings\Eurydice\Local Settings\Temp\

    Tell me what malware issues you are still having, if any.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0

    Help Support MajorGeeks
    Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

    Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

    MajorGeeks on FaceBook
     
    TimW, May 20, 2011
    #18
  19. meep7

    meep7 Private E-2

    Thank you so much, Tim. I completed your instructions above. The only issue I encountered is that my temp folder seems to keep getting stuff in it every time I completely clear it out. Not sure if that's normal. I'm usually able to delete everything manually but one file. Then I use Malware Bytes to take that out. Then Malware Bytes prompts me to allow the system to restart. When I get back, the file is gone, but there are about 20 new files, and a new file that can't be deleted without Malware Bytes. I've gone through the process twice. And each time the stubborn file had a new name, and the delete function says that it won't allow me to delete it because it's being used by another program.

    Other than that the computer is running smoothly, and everything seems okay. But I have not logged in anywhere like email, or anything private, because I wanted to get the go ahead from you.
     
    meep7, May 20, 2011
    #19
  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You never attached either the SAS or the MBAM logs. I would like to see them now.
     
    TimW, May 20, 2011
    #20
  21. meep7

    meep7 Private E-2

    Yes only the Avenger and the MG logs. I did not realize you needed the SAS and MB logs. I'm sorry if I missed something. Can you please tell me where they're located on my computer. I will upload them right away.
     
    meep7, May 20, 2011
    #21
  22. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    SAS log is here:
    Code:
    "C:\Documents and Settings\Eurydice\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\"
supera~1.log  May 19 2011       64021  "SUPERAntiSpyware Scan Log - 05-19-2011 - 20-28-33.log"
    MBAM log is here:
    Code:
    C:\Documents and Settings\Eurydice\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"
mbam-l~1.txt  Jan 20 2011        1822  "mbam-log-2011-01-20 (21-46-10).txt"
mbam-l~2.txt  May 19 2011        1027  "mbam-log-2011-05-19 (21-18-02).txt"
     
    TimW, May 20, 2011
    #22
  23. meep7

    meep7 Private E-2

    ok uploading them now
     
    meep7, May 20, 2011
    #23
  24. meep7

    meep7 Private E-2

    Here they are.
     

    Attached Files:

    meep7, May 20, 2011
    #24
  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Check your internet add-ons and remove Whitesmoke if you find it. Re-run both SAS and MBAM so I can see if they are picking up anything else.
     
    TimW, May 20, 2011
    #25
  26. meep7

    meep7 Private E-2

    ok I am doing those things now.
     
    meep7, May 20, 2011
    #26
  27. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am about to shut down for the evening. Attach the two logs for me to look at tomorrow and also download combofix.exe to your desktop and run it. Attach that log as well.
     
    TimW, May 20, 2011
    #27
  28. meep7

    meep7 Private E-2

    I never use IE, but checked the add ons under tools there and nothing. I checked mozilla add ons under tools and it was not there. I did download a grammar correcting software called whitesmoke some time ago, and keep seeing bits of what I think is it turn up over and over. But it could be something totally different. I just assumed it was that and kept trying to delete it when I found pieces. But it is weird that it won't go away. It's been a long time since that download.

    It was only a trial copy of it. I did not buy the software because I didn't think it would work for my needs. SAS is still running. I am running the programs separately today for hopeful speed. So after that's done I will run MB. I will update you on what the scan is doing in a few minutes. Hopefully it will be quicker today.
     
    meep7, May 20, 2011
    #28
  29. meep7

    meep7 Private E-2

    ok I will do that. If you are still there, do you think I can start opening email and my work accounts and other things or do you think there is a risk of spyware still logging personal data? I haven't been able to work since the crash, because everything is a password account for me, but I don't to start work and risk the compromise of any of my personal data, work accounts or email info. So I will follow your advice.
     
    meep7, May 20, 2011
    #29
  30. meep7

    meep7 Private E-2

    Hi, Tim. Here are the 3 logs. I wasn't quite sure where the ComboFix log was, but it opened automatically when the software finished, so I just saved that copy to my desktop, and attached it for you. If you need me to retrieve a different copy from another location, please let me know.
     

    Attached Files:

    meep7, May 21, 2011
    #30
  31. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs look good. My suggestion to you would be to use a different computer to change all your online passwords, just for safety sake. Otherwise, I think you are good to go.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0

    Help Support MajorGeeks
    Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

    Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

    MajorGeeks on FaceBook
     
    TimW, May 21, 2011
    #31
  32. meep7

    meep7 Private E-2

    Okay, Tim. I will definitely do that, and change my passwords on a different computer. I will also complete the list of tasks you've listed for me, and continue to read the resources on this website. I guess everything happens for a reason. I've learned a lot through this process, and now know I need to learn more about protecting my computer, and my source of employment.

    Thank you so much for all of your help. I hope you realize how much you help people. I know I'm not the only one you have helped so much. God bless you.
     
    meep7, May 21, 2011
    #32
  33. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing and don't be a stranger to the site. Lot's of good info here on many topics. ;)
     
    TimW, May 21, 2011
    #33
  34. meep7

    meep7 Private E-2

    No question. I will be lurking about. :)
     
    meep7, May 21, 2011
    #34
  35. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know. :)
     
    TimW, May 24, 2011
    #35

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds