Malware Removal Guide logs

Hi all,

I've been trying to fix my neighbor's netbook. Here are the specs:

Dell Inspiron 1012
Windows 7 Starter (32-bit)
Intel Atom N450 (1.66ghz)
1GB RAM

When I got it, it barely started up all the way. Explorer would crash and restart one or two times before the HD stopped crunching. Internet Explorer was her main concern because it would redirect her to a site (search.conduit.com/etc, etc) but IE would crash before it even got there. Then it would loop, reopening and crashing until I killed it with the Task Manager.

Even in the short period where I was able to click stuff in IE, all of the options I needed to change homepage or add-ons settings were greyed out. I was able to change it all with a work-around (accessing the cpl file directly) and changed the homepage to Google plus removed a bunch of unnessary add-ons (none of which were the Conduit.com stuff). This helped it load up a little better but it would still crash and loop after opening the webpage.

I tried to return it to Dell factory settings using the F8 "Repair My Computer" function at boot, but I get "parameter is incorrect" and then nothing at all until I manually shut down.

Also, I couldn't get into the Management Console or any workarounds to access the harddrives, it would either cause the computer to freeze or return an error whenever I tried to get in.

So, to rule out malware, I followed the guide. No malware was found by anything, but I am attaching the logs just in case I missed something.

Eventually, I ran chkdisk /r and it found some bad sectors and fixed stuff but nothing serious (not that I would know, really. but it ran pretty smooth). I ran a 7 pass memory test and there was nothing wrong, however, MMC (and consequently, the Event Viewer) was still out, so I couldn't view or save a log.

Ultimately, I just ran Windows Update (which solved the MMC problem), and uninstalled IE8 and installed IE9 in its place (Windows Update couldn't do this for me, kept turning up errors). The HDD and Recovery partition are all listed as Healthy. I was able to defragment the main partition but not the recovery one although it says it's 1% fragmented.

I disabled a bunch of unnecessary start up items and services. It loads up fine now, but it still feels off. I don't understand, if there's no malware and it's not a hardware issue, then what am I missing?

 

Hi Welcome to Major Geeks!

Can you please attach MGlogs.zip as well? It can be found at the root of C:

 

A little more on the anti-malware procedure, plus the logs I couldn't fit in the first post:

Before coming across The Guide, I used AVG and found nothing. I then tried Malwarebytes and it BSOD'd on a full scan the first time but got through it the second time with no malware detected.

I then tried The Guide and followed all of the instructions to the letter, turned off UAC (which I have to remember to turn back on), uninstalled Java (which I have to remember to reinstall lol), ran with Normal Startup even though it was painful to do so with how sluggish the computer ran. Only thing I didn't run was MGTools at the end.

Super Anti-Spyware BSOD'd about 45min's into the scan, both times I tried it. Ran fine after I unchecked "Use Kernel Direct File Access" and "Use Kernel Direct Registry access" but found nada.

Tried Malewarebytes again but this time I changed the exe file name as instructed and re-installed plus updated it (which I didn't do the first time, intending to do it manually but not being able to figure it out) ran fine through and through, no malware.

ComboFix I recall ran fine but it was unable to create a system restore point. Which reminds me, that's another of the issues this computer was having. Think it still might be a problem.

RootRepeal couldn't run at all. I got two errors at the beginning and when I tried to scan it would tell me it "could not initialize driver." The logs I have here are from the first two errors I get. I noticed it identifies my computer as Windows Vista, which is not true at all. Did I download the wrong version? Also, it no longer runs on my computer at all. I get the first two errors, creates the log files and I never see the program after that. Same thing happens in Safe Mode.

I went as far as trying TDSSKiller. It turned up nothing.

GMER, doesn't run all the way. it begins scanning something in Program Files/Microsoft Silverlight and then it BSOD's. In safe mode, it will freeze at that point instead of BSOD'ing. I managed to save the log up until that point and that's what's attached.


Hope you guys have some insight into what I should try next. Ideally, I can restore the factory image and be done with it. I'd reinstall the OS but my neighbor doesn't have it and it's a Netbook anyway, she'll need to order it up from Dell if I can't figure something else out. My OS is 64bit so I don't think I can use my own to reinstall hers.

Please keep in mind this is not my computer, and I did not investigate what kind of activity she performs with it. So if there's anything illegal in the logs, don't accuse me of breaking the forum rules, I'm just trying to do someone a favor. She says she needs this netbook for her home business, whatever that is.

Thanks for your time and help!

 

Hi, is that for MGTools? That's the only one I didn't run. I wasn't sure what it was and didn't want to run it.

Also, I wrote a huge follow-up with more details and logs and it's not showing up now. Did I do something wrong?

 

Don't understand what I did wrong...but I posted all this already and it hasn't appeared on the site. Here it is again:

A little more on the anti-malware procedure, plus the logs I couldn't fit in the first post:

Before coming across The Guide, I used AVG and found nothing. I then tried Malwarebytes and it BSOD'd on a full scan the first time but got through it the second time with no malware detected.

I then tried The Guide and followed all of the instructions to the letter, turned off UAC (which I have to remember to turn back on), uninstalled Java (which I have to remember to reinstall lol), ran with Normal Startup even though it was painful to do so with how sluggish the computer ran. Only thing I didn't run was MGTools at the end.

Super Anti-Spyware BSOD'd about 45min's into the scan, both times I tried it. Ran fine after I unchecked "Use Kernel Direct File Access" and "Use Kernel Direct Registry access" but found nada.

Tried Malewarebytes again but this time I changed the exe file name as instructed and re-installed plus updated it (which I didn't do the first time, intending to do it manually but not being able to figure it out) ran fine through and through, no malware.

ComboFix I recall ran fine but it was unable to create a system restore point.

RootRepeal couldn't run at all. I got two errors at the beginning and when I tried to scan it would tell me it "could not initialize driver." The logs I have here are from the first two errors I get. I noticed it identifies my computer as Windows Vista, which is not true at all. Did I download the wrong version? Also, it no longer runs on my computer at all. I get the first two errors, creates the log files and I never see the program after that. Same thing happens in Safe Mode.

I went as far as trying TDSSKiller. It turned up nothing.

GMER, doesn't run all the way. it begins scanning something in Program Files/Microsoft Silverlight and then it BSOD's. In safe mode, it will freeze at that point instead of BSOD'ing. I managed to save the log up until that point and that's what's attached.

Last thing I did was run Microsoft Security Essentials (I uninstalled AVG before starting The Guide). No malware there, either.

Finally, this is not my computer. I did not investigate what my neighbor uses it for. If there's something illegal in the logs, please don't accuse me of breaking forum rules. I'm just trying to do someone a favor. She says she needs this netbook for her home business, whatever that is.

Thanks, everyone, for your time and help!

 

Yes

It's another scanning / log gathering tool by MG. It's completely safe to run and will help me help you remove any remaining malware from your system.
It is mentioned here: Vista and Win 7 Malware Removal/Cleaning Procedure

It's not showing up here. What were the logs from?

 

I now see your additional logs, I still would like you to run MGtools.exe as requested in the READ & RUN ME FIRST Malware Removal Guide

 

ok, ran MGTools. Don't think it found anything. Log zip file is attached.
Looking forward to any insight you may have. Thanks, again!

 

Now, after running MGTools, I can't complete a quick scan of Malwarebytes. it BSODs while scanning C:\Windows\System32\AuthFWGP.dll

Any insight for that?

 

From Programs and Features (via Control Panel), please uninstall the following:

• Conduit Engine

Now we need to use ComboFix

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named C:\ComboFix.txt
• Attach this log to your next message. (How to attach items to your post)

Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

If after running ComboFix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now download and install Sun Java Runtime Environment 6 Update 26
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

Now you need to re-download MGTools.exe and this time save it to the root of C: which was requested here: http://forums.majorgeeks.com/showthread.php?t=139681

Run the MGTools.exe program by right clicking on it and selecting Run As Administrator.
Afterwards, attach C:\MGlogs.zip (How to attach items to your post)

Let me know how the PC is running after you've completed these steps!

 

Seems to be running fine again. Malwarebytes was able to get through a scan. Is there any other way I can test it to make sure everything's as it should be?

Logs attached.

 

Your logs look much better.

Are you familiar with this file on your Desktop?

Code:

[B]C:\Users\AngelJewelz\Desktop\-460d~1.mp3[/B]

If not, please delete it. It is most likely a partial file

Are you still getting any redirects? Anything else acting up?


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

There's an mp3 file with the filename in Arabic. I can't tell if it's the same thing but it's the only mp3 file there. I think one of her programs, Athan.exe uses it on startup.

There's also 2 desktop.ini files that showed up on the desktop. Don't remember them there after configuring it to show hidden files. Is that normal for a netbook?

 

That is most likely the same .mp3 file. In the logs it also shows up with a bunch of ???????????? characters -- Since it is in Arabic, this is probably why I wouldn't delete it, I just wanted to make sure you knew what it was.

These files are safe. They are hidden system files. They will go away when you finish completing the final steps.

 

All done! Was running a little off while I was doing all that but a restart got it back to normal.

Few last questions.

What was the problem? Did it have malware at all or having problems from previously removed malware?

My own laptop is running fine, but this experience gave me the heebie-jeebies. don't know what's hiding in there. Only problem is, I wouldn't feel comfortable posting all of the stuff on my laptop HDD onto a forum for strangers to peruse (no offense, I'm really grateful you guys are around, but... you know.). How can I become an expert to clean up my own computer myself? Is there a class or webinar for this stuff?

Would you happen to know if increasing her page file a bit will help or hurt the netbook? I went ahead and raised it to 1gb but I think I read somewhere that might hurt things.

Finally, when toggling System Restore, I saw that it was already set to "OFF" for the Recovery drive. Could that be why I wasn't able to restore Dell Factory Settings during boot? I'd like to leave her with the option to do so when I give back the netbook, if possible. But I have a feeling that partition's too corrupted.

Even if you can't answer these questions, THANKS A LOT!! Huge help. Hopefully, I'll be in a position to pay you back one day.