malware infection

slaphappy22 · Aug 5, 2010

Hi guys, I performed all the recommended scans and attached the logs.

Account of what happened
The malware installed when i did a google search and went to their images results and clicked on an image (not porn). As soon as i clicked on the image Java opened and my Comodo firewall (which had the firewall active but not Defense+) and winpatrol started going nuts trying to block a whole bunch of files that were being downloaded and installed (If i had been thinking fast enough i would have pulled the network plug). What i did do is copy some of the file names/path each time an alert window from winpatrol and comodo popped up and of course disallowed it. Afterward I went to the file locations and deleted the files. Unfortunately none of this seemed to help. The Malware had clearly hijacked my browser, the very least.

I worked to try to remove it for a couple days before coming to your post on how to remove Malware. I basically ran SAS multiple times (which found some malware and rootkits on multiple scan) and AVG scanners in normal startup mode and safe mode. I also tried to do a system restore, which i had to try several times, going farther and farther back in time, because they would not take, eventually it did. However none of this helped the browser hijacking.

Then i came across your post and followed your instructions to the T. It’s been several days and that seems to have cleared up the browser hijacking. My only worry it that their may still be some other trojans or other malware that might not be so obvious as the browser hijacking. I use outlook to correspond with clients and deal with a lot of sensitive information on this computer so i'd like to be as confident as i can that the computer has been cleaned of all malware.

Also attached to this post is the list of files that were caught by comodo and winpatrol that i deleted manually in case that is helpful. I also attached the two SAS logs from scans I ran that removed the malware and rootkits before i had come to your site and ran the scan following your instructions.

My Questions:
1. Do you think that i got ALL malware off my computer?
2. Is there anything you would recommend I do further to be as confident as possible that i have a clean computer
3. How would i go about clearing the quarantine folder for both ComboFix and MGtools? (Just to make sure no new malware files had reproduced i ran malwarebytes complete scan a couple days after doing the complete instructions, as it was running comodo defense+ was triggered by a file in Qoobox, which i now understand is the quarantine for ComboFix)

Your help is very much appreciated. Thanks!

Note: the SAS log dated 7-28 is the one i ran while following your instructions. The other logs attached to this post were done prior to reading the instructions in this forum. The other SAS logs did remove malware, the one i ran while following your instructions did not find anything.

slaphappy22 · Aug 5, 2010

remaining logs files

TimW · Aug 5, 2010

Your logs are clean. The following should answer your questions:

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Support MajorGeeks with Geek Wear!

slaphappy22 · Aug 5, 2010

I very much appreciate your prompt reviewing of my logs and reply!

Thanks again!!!

TimW · Aug 5, 2010

You are most welcome. Safe surfing.

Log in or Sign up

malware infection

slaphappy22 Private E-2

Attached Files:

SUPERAntiSpyware Scan Log - 07-22-2010 - 12-54-50.log

SUPERAntiSpyware Scan Log - 07-27-2010 - 14-37-56.log

SUPERAntiSpyware Scan Log - 07-28-2010 - 04-13-16.log

files manually deleted.txt

slaphappy22 Private E-2

Attached Files:

RRlog.txt

ComboFix.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

slaphappy22 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member