Help Cleaning FILs rig

Welcome to MajorGeeks!

I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Our queue is working the oldest threads first.

Thanks for your patience.
dr.m

 

Hello, Karkas


The below fixes are specific to your problem and should only be used for issue(s) on this machine. Also, please do not install any other software while we are still working with you unless instructed. Once we have given you the all clean and final instructions you will be free to install what you want.

Question: Did you receive any error messages while running MGTools? The contents of your attached MGLogs.zip didn't contain the expected set of logs. Make sure that you have saved MGTools.zip to and ran it from your C drive where Windows is installed.

Step 1:
We're going to use ComboFix to remove some malware.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  If it asks you to overide the previous file with the same name, click YES.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 2:
Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

Step 3:
Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Please attach the below logs to your next reply:

• C:\MGlogs.zip
• C:\combofix.txt

Make sure you tell me if you had any problems running this procedure - if you get any error messages when running GetLogs.bat, and give a description of how things are working now!

dr.m

 

I found no further signs of infections in your recent logs.

Notes: After checking on:

c:\docume~1\Ben\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys
I didn't have a problem downloading and installing CPU-Z to my Program Files folder. *Did you download it or did you just run it without saving the application?

* Re: your last post reply - I have these ideas and or questions for you:

• Does it happen if no browsers are open?
• Does it happen if the cable to the internet is disconnected?
• Does it happen if protection software is disabled?
• Does it happen in safe boot mode?

dr.m

 

Hello, karkas

The above is something I saw that looked strange in that directory from your last logs:
CPU-Z is a freeware that gathers information on some of the main devices of your system.

Now - back to your answers. You need to find out if it happens in Safe Mode. If it does ( and your logs appear to be clean ), it may be due to some damage caused by the malware you had. *If it does not happen in Safe Mode - something is being loaded while you're in Normal Boot Mode and you'll have to figure out what.

Let's try some online scans!

1) This procedure explains how to get to the PandaActiveScan site to setup and perform an online scan. It also explains how to obtain a log so you can attach it to a message. You must use Internet Explorer to run this scan and make sure your Sun Java version is current.

* If you are in safe mode, reboot into normal mode now.

To start the online scan go here: Panda ActiveScan


To run the Online Scan continue with the below steps.

1. When the page appears, click the Scan your PC button.
2. In the next window, click the Check Now button
3. Click the Scan Now button
4. If you get a prompt about an Active-X component, allow the component to be installed.
5. Now a download to your PC will begin. This is a required component for the scan. It contains detection information. (Note: It may take a while to download based on your connection speed.)
   • A second prompt will appear to allow the component to be updated
6. When the scan is finished close the popup window and then click See Report
7. Click Yes to the prompt, then click Save Report
8. The default report name is Activescan.txt. Just save it where you can find it so you can attach to your message.

2) Now also run Using BitDefender Online Scan

Then attach the below logs to your next reply:

• ActiveScan.txt
• bdscan.txt

dr.m

 

Karkas -

I need to know definitely whether or not you have the system freeze problem while in Safe Mode.

Do the following:

• Toggle your System Restore to flush your old restore points. Disable And Enable System Restore
• Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!
• Run ATF Cleaner by Atribune
  • 
    This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
  • * Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
  
  If you use Firefox browser
  
  
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Now - update ALL Scanners and run them - attach the below logs to your next reply.

• SASlog.txt log
• Malwarebytes Anti-Malware log
• ComboFix.txt
• MGlogs.zip

Remember to answer my question and to describe how the PC is now running.

dr.m

 

Hello, Karkas

* A reminder to follow my steps for log generation in the order given, to avoid extra work determining the current status of the machine.

IMPORTANT EDIT: A question -
Referring to the files that SAS deleted from the E drive under the Trojan.Agent/Gen-ImageDocFake heading... were they files that you know were valid?


Step 1:
The problem not incurring in Safe Mode means it is obviously due to a driver, process, or service that runs in normal boot mode but not safe mode. Let's try something -

• Click on Start, then Run ... type services.msc into the box that opens up, and press OK.
• On the page that opens, scroll down to locate a reference to Ati Hotkey Poller
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the "Start-up Type" to Disabled.
• Click OK until you get back to Windows Explorer.

Step 2:

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Make sure you have shut down all protection software (antivirus, antispyware, firewall...etc) programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  If it asks you to overide the previous file with the same name, click YES.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named C:\DeQuarantine_log.txt
  
• I will ask for this log below

Step 3:
Using Windows Explorer - navigate to and delete the following:
C:\WINDOWS\system32\gxvxccount

Step 4:
Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

*Re-boot

Step 5:
Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Please attach the below logs to your next reply:

• C:\MGlogs.zip
• C:\DeQuarantine_log.txt

Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!

dr.m

 

There was a typo in the last fix dr.moriarty gave you. The below file
C:\Qoobox\Quarantine\C\WINDOWS\system32\ATIODE.exevir

should have been named
C:\Qoobox\Quarantine\C\WINDOWS\system32\ATIODE.exe.vir

The missing period cause it not to be restored from the quarantine folder. If you know how to copy & rename files from one folder to another. Just copy the above file back to the C:\windows\system32 folder and then right click on it and select Rename and remove the .vir extension so that the file is only named ATIODE.exe

This is not due to any remaining malware. Back a few messages ago, you said things ran fine in safe boot mode. You need to determine what from the list of startup processes and services that you are loading may be causing the problem when you boot in normal mode.

This is the place where MSconfig should be used to do debugging. With MSconfig you can selectively disable Startups and various non-windows services to see if you can locate which one is responsible for your problem. I put non-windows services in bold print since you need to be extremely careful what you disable under the Services tab of MSconfig. When you select the Services tab, first check the box at the bottom that says Hide All Microsoft Services This way you will not disable any critical Microsoft services.

This is a process of elimination where you are trying to zero in on the possible problem. I suggest you first start by running MSconfig and selecting only the Startup tab and then click the Disable All button. Then click OK. Then reboot in normal (not safe ) boot mode. You will be in selective startup mode but that is okay while debugging.

If disabling the Startups does not remove the problem. Move on to the Services tab and remember to hide Microsoft services first. Then uncheck half of the services and then click Apply, OK and then reboot. If no luck, reenable the first half of the services, and uncheck the second half then click Apply, OK and then reboot. Assuming this fixes the problem, then slowly add services back in until you find the one that causes the problem.

Let us know how this goes or if you don't understand something.

 

Interesting. They also make the below claim online:

I guess they have to redefine meaning of never or the meaning of slow.:-D