Malare Removal Aftermatch #1

Discussion in 'Malware Help (A Specialist Will Reply)' started by JudithK, Sep 24, 2008.

  1. JudithK

    JudithK Private E-2

    My PC (Windows2K Pro) acquired several viruses (apparently: UPS, Privacy and Virtumondo) about 10/12 days ago. Eventually, I figured out I had a really serious problem and used AVG (V8) to remove them. This appeared to be successful but not long after the scan/removal was done, other symptoms appeared.

    For sure there is something wrong with the registry as the file association no longer works -- when I click on a file, its application does not start up even though the software/class/typlib registry keys are visible. However, if I highlight the file and then choose Open With... all the programs are displayed and can be chosen. Also, I cannot run Add/Remove Programs because it cannot display the icons that usually show on the left of its screen. Additionally I cannot access the Local Users and Groups via the Administrative Tools.

    I have followed the Malware Removal guide (and was surprised to see how much more stuff was found!) and am attaching the logs you requested. I do hope you can help me clear up this problem.

    Thanks
    Judith K.
     

    Attached Files:

    JudithK, Sep 24, 2008
    #1
  2. JudithK

    JudithK Private E-2

    Last Attachments
     

    Attached Files:

    JudithK, Sep 24, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 26, 2008
    #3
  4. JudithK

    JudithK Private E-2

    Okay, followed all instructions without any problems and did receive a "Successful" message after running FIXME.reg. The ComboFix and MGtools logs are attached.

    Unfortunately, I am still having the same problems: I cannot run Add/Remove programs apparently because of no link to the icons; I cannot link to anything; the file associations are only working where I have gone in and updated them manually; cannot display fonts or compiled Help topics.

    Hope you've got some more suggestions....??

    Anyway thanks for the help; I do appreciate it.

    Judith
     

    Attached Files:

    JudithK, Sep 26, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We have a little more cleaning to do. Also I have a question. Do you know what the below fairly new file is for?
    Code:
    2008-09-18 04:31 60,968 ----a-w C:\WINNT\system32\wpfb_s3savmx.dll
    If not, I suggest you scan it at the below link and see if any problems are found with it:

    http://www.virustotal.com/

    These are actually topics better discussed in the Software Forum, but I will quickly give a couple thngs to look at. For Add/Remove Programs, click on Start and select Run. Then, in the run box type
    appwiz.cpl and then click OK. See if this opens up Add/Remove Programs. If you get a message that appwiz.cpl is not found then that may be your problem.

    I will try to add a patch to the below that will fix a few of missing file associations that I can see from one of your logs, but for others you are better off manually fixing them since you may not use the same programs that I have associated. You could also fix certain associations within some of the programs you run. Like by running Windows Media Player you can fix things associated with it.




    Now we need to use ComboFix.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now doubleclick the fixme.reg patch saved to your desktop last time and allow it to be added to your registry.

    Now download the attach FixAssoc.zip file to the C:\MGtools folder. Then extract ALL file from the FixAssoc.zip file into the C:\MGtools folder. Now locate the FixAssoc.bat file and run it by double clicking on it. This will try to fix associations for scr, txt, vbe, vbs, wsf, wsh, and xml files.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     

    Attached Files:

    chaslang, Sep 27, 2008
    #5
  6. JudithK

    JudithK Private E-2

    The file you found (wpfb_s3savmx.dll) is a backup created by my WinPortrait software which I did reinstall on the 18th.

    Also, appwiz.cpl is on my machine, but it still bombs out on the inability to display the icons. All the other problems are still happening. Thanks for the suggestion -- I'll post in the Software forum and hope that someone there can give me a fix.

    I've attached the logs and a screenshot of an error received when running HiJack -- i don't know what, if any, effect it had as the program seemed to run to completion without a problem.

    Again, my thanks for your help.
     

    Attached Files:

    JudithK, Sep 28, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks like you did not create the NEW cfscript.txt file for my last combofix procedure properly. Some items were not removed. You should redo this or just delete those folders manually. However this will not fix the problems you are having as they are not malware problems. You are having problems due to missing or corrupted operating system files and/or registry keys. It would be best for you to work those problems in the Software Forum. You may need to do a repair. Also running sfc /scannow from the Start, Run, box may be useful.
     
    chaslang, Oct 1, 2008
    #7
  8. JudithK

    JudithK Private E-2

    Well, I thought I had the right script, but at this point, who knows...I'll do the deletions manually.

    I did post to the Software forum and have gotten some great help with the file associations problem.

    One last question -- since I'm still unable to read compiled help files, pls: what is "sfc /scannow" ?

    Anyway, I just want to say Thanks Again! I do appreciate your taking the time to help.
     
    JudithK, Oct 2, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    See this http://support.microsoft.com/kb/222471/EN-US/


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Oct 3, 2008
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds