Had some serious malware problems - seem to be cleaned up...

Discussion in 'Malware Help (A Specialist Will Reply)' started by BigFatDynamo, Mar 1, 2008.

  1. BigFatDynamo

    BigFatDynamo Private E-2

    Hey folks,

    About a month ago I started having some problems with IE popping up while I was using Firefox. Simple installation of No-Script and AdBlock+ to Firefox didn't seem to do any good, so I went looking for answers. Luckily, I found this lovely website and have since slavishly devoted myself to cleaning up this computer. After much difficulty, things seem to be running smoothly. I'd like it if you folks could take a look at my logs and let me know how I did?

    Note: I could not attach my SAS log because it is too large... it's 557KB, which exceeds the limit of 250KB. Suggestions?

    Thank you very much in advance, and thanks for taking the time to run such a great site. I've recommended it to all my friends, or at least, those that don't know much about computers (like myself).

    Also, I'm having a bit of trouble getting SuperAntiSpyware to update. I'm running Online Armor for the firewall it provides. I've tried allowing the program to run freely, but I'm still getting a message saying that the firewall is preventing it from working properly. Any ideas, short of disabling the firewall altogether?
     

    Attached Files:

    BigFatDynamo, Mar 1, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Combofix removed a large amount of malware ...let's do the rest:

    Tell me what this is:
    C:\WINDOWS\VCBT

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, Mar 2, 2008
    #2
  3. BigFatDynamo

    BigFatDynamo Private E-2

    TimW,

    Thanks for the quick reply. When I ran MGTools I could not find the following:

    O4 - HKLM\..\Run: [addlo.exe] C:\WINDOWS\system32\addlo.exe
    O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe

    They were not listed when I ran the program. I fixed the other things you suggested. I am wondering if they did not show up because these two things may have been fixed by scans from SpyBot and SuperAntiSpyware subsequent to when I last ran MGTools? I have been working this problem in my spare time, but have been lapse in posting everything together until the other day. Since first running MGTools on 2/23/08, I have run both SpyBot and SAS on 3/2/08. I will include the latest MGLog (created today after fixing three of the suggested fixes) for your perusal

    According to the properties window, this is a 0 byte, 0 content folder created on 2/5/08. Not sure how it came about, but it was created around the time I started having the pop-up problem.

    I have not downloaded and run the Avenger yet, as I thought it would be prudent to wait for further direction in regards to the missing O4's in HJT.

    Thank you again for your help,

    BFDynamo

    P.S. Combofix did find a lot of stuff, though SAS had something like 10,000 fixes to do. I'm sure a lot of it was little stuff, but still, that's a bit obscene!
     

    Attached Files:

    BigFatDynamo, Mar 2, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please just continue with the fix ....and then get me the logs for MGLogs.zip and ComboFix.
     
    TimW, Mar 3, 2008
    #4
  5. BigFatDynamo

    BigFatDynamo Private E-2

    TimW,

    Ok, I followed your instructions. The Avenger thing didn't go over so well, but it worked. For some reason, the program I used was completely different from what you described. There was no magnifying glass, no check box, no stoplight. I simply entered the text into the main box, clicked execute, and went on my merry way. My computer had issues starting up properly, but I think that was a fluke.

    You requested the logs from Combofix, though I think you meant Avenger, as the Combofix logs have not changed. I have included the Avenger log for your perusal.

    Thank you for your help,

    BFD
     

    Attached Files:

    BigFatDynamo, Mar 3, 2008
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs look clean.

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
    * Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
    *How to Protect yourself from malware!
     
    TimW, Mar 4, 2008
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds