malware check

Discussion in 'Malware Help (A Specialist Will Reply)' started by enemy1, Jan 17, 2010.

  1. enemy1

    enemy1 Private E-2

    Pre-malware removal:
    -couldnt access task manager
    -Restricted site warning for many popular sites such as Facebook and Youtube
    -many pop ups claiming i was infected and should install antivirus software
    -weird processs encountering errors ( ex. 832943.exe encounter an error; or some other weird array of numbers)

    I am honestly not sure how i acquired these viruses because my brother is responsible(managed to catch a vundo variant somehow). There was mywebsearch which my dad accidentally installed through spam mail, and i had mega manager which i never got the time to remove(not sure if its still there)


    I followed all the steps in your great guide(except those that i couldn't perform due to the fact that im running 64-bit vista) and the problems seemed to be fixed.

    I just want to make sure im in the clear and that no traces are left on my system that could possible lead to another outbreak of viruses.
     

    Attached Files:

    enemy1, Jan 17, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    1. Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode, if you haven't done so already.

    2. Please go to Add and Remove programs and uninstall the following software:

    • Java(TM) 6 Update 7
    • Java(TM) SE Runtime Environment 6 Update 1
    3. Now download The Avenger by Swandog469, and save it to your Desktop.

    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.


    4. Now reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    5. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from avenger.

    6. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Jan 18, 2010
    #2
  3. enemy1

    enemy1 Private E-2

    i followed your instructions and my computer seems to be running pretty smooth.

    im glad this wasnt to difficult. i heard a lot of people running into some nasty problems when facing vundo viruses.

    i attached the MGlogs

    Concerns:
    -i ran avenger and deleted it after reboot because it is a powerful program and i dont want family messing around with it. But i later realized i did not see a pop up of the avenger log nor can i find the log file anywhere.
    -computer is smooth, but i did notice that my home page for internet explorer is now set to an "about:blank" page. My firefox home page remained the same though.

    and i just want to say thanks for taking the time to help me out..=]
    Its really appreciated.
     

    Attached Files:

    enemy1, Jan 18, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    1. Continue by downloading a tool we will need -

    Pocket_KillBox


    Save it to its own folder somewhere that you will be able to locate it later.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.

    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    • Delete on Reboot
    • then Click on the All Files button.*(or on the folders option)*
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\s
    C:\Windows\system32\11478.exe
    C:\Windows\system32\11538.exe
    C:\Windows\system32\11942.exe
    C:\Windows\system32\12382.exe
    C:\Windows\system32\14604.exe
    C:\Windows\system32\14771.exe
    C:\Windows\system32\153.exe
    C:\Windows\system32\15724.exe
    C:\Windows\system32\16827.exe
    C:\Windows\system32\17421.exe
    C:\Windows\system32\18467.exe
    C:\Windows\system32\18716.exe
    C:\Windows\system32\19169.exe
    C:\Windows\system32\19718.exe
    C:\Windows\system32\19895.exe
    C:\Windows\system32\21726.exe
    C:\Windows\system32\23281.exe
    C:\Windows\system32\24464.exe
    C:\Windows\system32\26500.exe
    C:\Windows\system32\26962.exe
    C:\Windows\system32\28145.exe
    C:\Windows\system32\292.exe
    C:\Windows\system32\29358.exe
    C:\Windows\system32\2995.exe
    C:\Windows\system32\32391.exe
    C:\Windows\system32\3902.exe
    C:\Windows\system32\4827.exe
    C:\Windows\system32\491.exe
    C:\Windows\system32\5436.exe
    C:\Windows\system32\5447.exe
    C:\Windows\system32\5705.exe
    C:\Windows\system32\6334.exe
    C:\Windows\system32\9961.exe
    C:\Windows\SysWOW64\11478.exe
    C:\Windows\SysWOW64\11538.exe
    C:\Windows\SysWOW64\11942.exe
    C:\Windows\SysWOW64\12382.exe
    C:\Windows\SysWOW64\14604.exe
    C:\Windows\SysWOW64\14771.exe
    C:\Windows\SysWOW64\153.exe
    C:\Windows\SysWOW64\15724.exe
    C:\Windows\SysWOW64\16827.exe
    C:\Windows\SysWOW64\17421.exe
    C:\Windows\SysWOW64\18467.exe
    C:\Windows\SysWOW64\18716.exe
    C:\Windows\SysWOW64\19169.exe
    C:\Windows\SysWOW64\19718.exe
    C:\Windows\SysWOW64\19895.exe
    C:\Windows\SysWOW64\21726.exe
    C:\Windows\SysWOW64\23281.exe
    C:\Windows\SysWOW64\24464.exe
    C:\Windows\SysWOW64\26500.exe
    C:\Windows\SysWOW64\26962.exe
    C:\Windows\SysWOW64\28145.exe
    C:\Windows\SysWOW64\292.exe
    C:\Windows\SysWOW64\29358.exe
    C:\Windows\SysWOW64\2995.exe
    C:\Windows\SysWOW64\32391.exe
    C:\Windows\SysWOW64\3902.exe
    C:\Windows\SysWOW64\4827.exe
    C:\Windows\SysWOW64\491.exe
    C:\Windows\SysWOW64\5436.exe
    C:\Windows\SysWOW64\5447.exe
    C:\Windows\SysWOW64\5705.exe
    C:\Windows\SysWOW64\6334.exe
    C:\Windows\SysWOW64\9961.exe
    C:\Users\bobby\AppData\Local\Temp\BEUtIk0m.exe.part
    C:\Users\bobby\AppData\Local\Temp\svp8i.tmp
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.


    2. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    3. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Jan 18, 2010
    #4
  5. enemy1

    enemy1 Private E-2

    i followed the instructions with no problems and no i didnt receive the prompt. It asks me to reboot and i did.

    killbox made its own folder at C: with what appears to be copies of many of the .exe files that it deleted.

    ok something odd. The system32 folder seems to be cleared of all the junk that was in there before, but the SysWOW64 folder still contains all of its weird .exe files that were supposed to be deleted. (i checked the kb log file and those files were marked for deletion)

    here is another set of mglogs.
    hope this can get fixed..=/

    p.s

    just noticed another strange thing. when trying to attach stuff to this post i noticed a local disk "Q" listed which i could not access. Yet when i checked it out when clicking "my computer" i could not find it.

    summary:i can only see this drive listed when im trying to add attachments to my post. i reproduced this effect multiple times under different conditions.
    I dont know if this should be a cause for concern..=S
     

    Attached Files:

    enemy1, Jan 19, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Let's try again:


    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.

    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    • Delete on Reboot
    • then Click on the All Files button.*(or on the folders option)*
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\s
    C:\Windows\SysWOW64\drivers\worrz.sys
    C:\Windows\System32\drivers\worrz.sys
    C:\Windows\SysWOW64\11478.exe
    C:\Windows\SysWOW64\11538.exe
    C:\Windows\SysWOW64\11942.exe
    C:\Windows\SysWOW64\12382.exe
    C:\Windows\SysWOW64\14604.exe
    C:\Windows\SysWOW64\14771.exe
    C:\Windows\SysWOW64\153.exe
    C:\Windows\SysWOW64\15724.exe
    C:\Windows\SysWOW64\16827.exe
    C:\Windows\SysWOW64\17421.exe
    C:\Windows\SysWOW64\18467.exe
    C:\Windows\SysWOW64\18716.exe
    C:\Windows\SysWOW64\19169.exe
    C:\Windows\SysWOW64\19718.exe
    C:\Windows\SysWOW64\19895.exe
    C:\Windows\SysWOW64\21726.exe
    C:\Windows\SysWOW64\23281.exe
    C:\Windows\SysWOW64\24464.exe
    C:\Windows\SysWOW64\26500.exe
    C:\Windows\SysWOW64\26962.exe
    C:\Windows\SysWOW64\28145.exe
    C:\Windows\SysWOW64\292.exe
    C:\Windows\SysWOW64\29358.exe
    C:\Windows\SysWOW64\2995.exe
    C:\Windows\SysWOW64\32391.exe
    C:\Windows\SysWOW64\3902.exe
    C:\Windows\SysWOW64\4827.exe
    C:\Windows\SysWOW64\491.exe
    C:\Windows\SysWOW64\5436.exe
    C:\Windows\SysWOW64\5447.exe
    C:\Windows\SysWOW64\5705.exe
    C:\Windows\SysWOW64\6334.exe
    C:\Windows\SysWOW64\9961.exe
    C:\Users\bobby\AppData\Local\Temp\BEUtIk0m.exe.part
    C:\Users\bobby\AppData\Local\Temp\svp8i.tmp
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Jan 19, 2010
    #6
  7. enemy1

    enemy1 Private E-2

    ok i did it again.
    some things i want to note:
    1)im clicking on "KillBox-Beta.exe"
    2) every time i click on it. It tries to install "Roxio Media Manager"
    3) te installation of the Media Manager fails and i just keep clicking cancel until killbox comes up.

    heres the log again..
    I still see the files in the same folder though..=S
     

    Attached Files:

    enemy1, Jan 21, 2010
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Well I do not know why this is happening. I just tried it myself on my machine and had no problems with it.

    In any case, let us now use another tool as Killbox isn't helping us.


    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.


    Code:
    :Files
C:\Windows\system32\11478.exe
C:\Windows\system32\11538.exe
C:\Windows\system32\11942.exe
C:\Windows\system32\12382.exe
C:\Windows\system32\14604.exe
C:\Windows\system32\14771.exe
C:\Windows\system32\153.exe
C:\Windows\system32\15724.exe
C:\Windows\system32\16827.exe
C:\Windows\system32\17421.exe
C:\Windows\system32\18467.exe
C:\Windows\system32\18716.exe
C:\Windows\system32\19169.exe
C:\Windows\system32\19718.exe
C:\Windows\system32\19895.exe
C:\Windows\system32\21726.exe
C:\Windows\system32\23281.exe
C:\Windows\system32\24464.exe
C:\Windows\system32\26500.exe
C:\Windows\system32\26962.exe
C:\Windows\system32\28145.exe
C:\Windows\system32\292.exe
C:\Windows\system32\29358.exe
C:\Windows\system32\2995.exe
C:\Windows\system32\32391.exe
C:\Windows\system32\3902.exe
C:\Windows\system32\4827.exe
C:\Windows\system32\491.exe
C:\Windows\system32\5436.exe
C:\Windows\system32\5447.exe
C:\Windows\system32\5705.exe
C:\Windows\system32\6334.exe
C:\Windows\system32\9961.exe

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from OTM

    Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Jan 21, 2010
    #8
  9. enemy1

    enemy1 Private E-2

    ok i ran the scan and here is the log that came up:
     

    Attached Files:

    Last edited by a moderator: Jan 22, 2010
    enemy1, Jan 21, 2010
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That's looking much better!

    Let's just do this:

    Use Windows Explorer to locate and delete the below bold 0 bytes files:
    Let me know if they delete quietly or not.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Jan 22, 2010
    #10
  11. enemy1

    enemy1 Private E-2

    i deleted C:\Windows\SysWOW64\24464.exe, but could not find the other file.
     

    Attached Files:

    enemy1, Jan 24, 2010
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Your logs are clean :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    Last edited: Jan 24, 2010
    Kestrel13!, Jan 24, 2010
    #12
  13. enemy1

    enemy1 Private E-2

    thank you so much..=] <3
     
    enemy1, Jan 24, 2010
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're very welcome :)

    Oh, and Java! :)

    Go to add/remove programs and uninstall the below outdated java:
    • Java(TM) 6 Update 7

    Now reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6.
     
    Kestrel13!, Jan 24, 2010
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds