Malware help

Noviced · Feb 2, 2012

Became infected 2 days ago Maybe longer, found your site yeserday. Tons of what looks like great stuff. However, my knowledge and experience is lacking. I followed your read and run section as best I could all yesterday. Both SuperAnti Spy & Malwarebites seemed to work.

Today I ran into trouble with combo fix(@ blue screen, got to"scanning for infected files sentance" waited an hour then noticed system locked up 15 min. in) also had norton AV pop up, thought was disabled properly. Root repear.rar didn't run. It sent me to a pop up box "Add fileC:\ Rootrepeal, Add to archive. Tried it with the zip and got error-invalid PE image not found. No scan run. I proceeded with MGtools. It ran so here are tha log I hope. Now I can't find the other 2 and don't know where to look.

Respectfully,
Noviced

TimW · Feb 2, 2012

Are you missing desk top icons and programs in the start menu?

Noviced · Feb 2, 2012

Yes, after start up and when I get to my screen saver (?) I only see 3 icons (my computer, recycle bin,my network places and Internet Explorer) I also found the Super Anti Spy log. I use the start button in lower left to navigate my system currently.

TimW · Feb 2, 2012

While I am awaiting your answer, please use windows explorer to find and delete:
C:\Documents and Settings\All Users\Application Data\OHVH5iIoQjKUtw
C:\Documents and Settings\All Users\Application Data\OHVH5iIoQjKUtw.exe
C:\Documents and Settings\All Users\Application Data\~OHVH5iIoQjKUtw
C:\Documents and Settings\All Users\Application Data\~OHVH5iIoQjKUtwr

Please download and save the below tool from Grinler @ bleepingcomputer to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

http://download.bleepingcomputer.com/grinler/unhide.exe

Now run it. Now see if you can find the items that seemed to be missing?

Noviced · Feb 2, 2012

Eureka, all icons are visible. Only differance now is I have a blue screen background and not the picture I chose. Truely amazing this computer stuff. Thank you very much. What else might I need to be "normal" again?

Humble Paduan Learner,
Noviced

TimW · Feb 3, 2012

Where you able to remove those items I asked you to delete?

You can restore the defaults for the Start Menu, Accessories and Administrative Tools as follows:

Restore Accessories Program Files Menu with accrestore.zip for XP

Extract (unzip) the tool, double-click on it to run and ensure that the following check boxes are checked (as shown below):

http://forums.majorgeeks.com/chaslang/images/restore-start-menu-accessories-folder.png

Then click on the Restore button.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

C:\MGlogs.zip

Make sure you tell me how things are working now!

Noviced · Feb 3, 2012

Yes I was able to find and delete those items. My computer seems to be running well. I will now follow your instructions on restoring Accessories and send you the log requested ASAP. Thanks again, things are looking up.

Noviced

Noviced · Feb 3, 2012

TimW,

The programs I use are working well. It looks like all the programs have been found. Speed has picked up. Still have blue background at icons. Went to play music, missing sound. Had pop up say can't play file "no sound device located."

At start up (black screen w/#'s & boot up) screen shows,"running Windows XP." Then goes to blue Windows welcome screen and all is well. Hadn't seen that before. Nevertheless my computer seems to be functioning properly.

Curious, after welcome screen and icons show. A pop up with "Windows Genuine Advantage" notification shows up. It showed up one day not sure when been awhile.(before we started to fix the computer) I always close it, never clicked it. Always goes away. Gave me no trouble. Is this an update add on?

Not sure if I provided what you need. I ran MGtools.exe. I don't see the C:\MGtools\GetLogs.bat file. I saved everything from 2/1/12(read & run) to my desk top and clicked local C: i attached it anyway. If need to do something else let me know.

Respecetfully.
Noviced

TimW · Feb 3, 2012

Just a few things to deal with, after which, I suggest you post in the software forum for further assistance:

Run CCleaner and clean out these folders:
C:\WINDOWS\Temp\
C:\Documents and Settings\ED\Local Settings\Temp\

Use windows explorer to find and delete:
C:\Documents and Settings\All Users\Application Data\odFpWeGCGDBNMy.exe

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=-
"SpybotSD TeaTimer"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"odFpWeGCGDBNMy.exe"=-

[HKEY_USERS\S-1-5-21-1614895754-1957994488-725345543-1003\Software\Microsoft\Windows\CurrentVersion\run]
"MSMSGS"=-
"SpybotSD TeaTimer"=-

Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

Noviced · Feb 6, 2012

Tim,

I received a success message for the REGIT4.

Noviced

Noviced · Feb 6, 2012

TimW,

Tried the "%userprofile%\Desktop\combofix" /uninstall, and windows pop said can not find this in C:\Documents and Settings\ED\Desktop\Combofix. I still have the icon in Desktop C. Also, looked for "HijackThis" to remove it and I can not find it. Step #8 ran the MGtools.exe again.(I attached it???) I am following step #9 now.

Respectfully,
Noviced

TimW · Feb 6, 2012

That's because you don't have ComboFix on your desktop, you have it here:
C:\ComboFix.exe.

Noviced · Feb 6, 2012

OK, do I just go where I see it and delete it? Just a bit confused on this step in the process.

Noviced

TimW · Feb 7, 2012

Yes, you can just manually delete it as well as the Quarantine folder.

Noviced · Feb 13, 2012

TimW,

I have been running my computer since we last had contact. I followed the last steps and aquired MicroSoft Security Essentials thru your site.(2-7-12) Security Essentials says I have some type of trojan: "TrojanOS/Alureon.E" I go to take the action of removing it and it says it's done. But at start up it comes back again. Under details it gives me this info: boot:\\. \PHYSICALDRIVEO\Partition1(Type 17). When I use Internet Explorer my computer crawls. But when I use Firefox it seems to run fine.

Respectfully,
Noviced

TimW · Feb 13, 2012

You must have acquired it. Please do the following:

Go to the below link and follow the instructions for running TDSSKiller from Kaspersky

TDSSkiller - How to run

Be sure to attach your log from TDSSKiller

Please also download MBRCheck to your desktop.

See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)

It will show a Black screen with some information that will contain either the below line if no problem is found:

Done! Press ENTER to exit...

Or you will see more information like below if a problem is found:

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.

MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now download the latest version of MGtools and save it to your root folder. Run the exe file and attach the new C:\MGLogs.zip.

Noviced · Feb 14, 2012

TimW,

Here are the reports. FYI Security Essencials indicates my computer is clean now.

Noviced

TimW · Feb 15, 2012

It looks like TDSSKiller took care of the problem.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

Noviced · Feb 20, 2012

TimW,

After running a few days everything is looking good. I followed the cleaning process and I added the tools Major Geeks recommended. I want to thank you for your help. This site and your knowledge is amazing. I will definitely recommend it to anyone who I hear is having trouble with their computer. Unless there is something else I need.... Thanks again.

Respectfully,
Noviced

TimW · Feb 20, 2012

Good to know.

You are most welcome. Safe surfing.

Log in or Sign up

Malware help

Noviced Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Noviced Private E-2

Attached Files:

SUPERAntiSpyware Scan Log - 02-01-2012 - 14-16-55.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Noviced Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Noviced Private E-2

Noviced Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Noviced Private E-2

Noviced Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Noviced Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Noviced Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Noviced Private E-2

Attached Files:

TDSSKiller.2.7.12.0_14.02.2012_14.39.46_log.txt

MBRCheck_02.14.12_15.13.53.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Noviced Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member