Malware removal: help with Step 1

Welcome to Major Geeks!

You can run in safe boot mode if that is necessary. All the instructions are saying is that we prefer normal boot mode, but they do say that safe mode is okay if you cannot boot in normal mode which somewhat fits your problem even though you can bootup.

 

You should only be doing what we asked you to do and this we specifically told you not to do. Running registry cleaners is not recommended and while infected can even be dangerous.


You have a Master Boot Record infection. We will need to boot to the Recovery Console ( you installed it while you installed ComboFix) to remove this infection.

Now boot to the Recovery Console and run the fixmbrto clear a Master Boot Record infection that you have.

You can read the below to help you do this:

http://support.microsoft.com/kb/307654


After running the fixmbr command and boot back to normal mode, continue with the below.


Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Then try running the below tool from Prevx

Prevx 3.0 use the button that says Download Prevx 3.0

After running it, continue with my previous instructions from the point where it says "Now run Ccleaner...."

 

First, please run Startup Manager and undo whatever you did with it. It should not be used to control startups and was just added to the do not use list here: Dealing with Startup Process for the same reason as other tools. It uses MSconfig keys and makes them look like orphaned keys which need to be deleted. You have lots of things apparently trapped in MConfig keys including things from software that does not even appear to be installed anymore (like Symantec)

You also have multiple antivirus programs running (Authentium - from your ISP - , ESET NOD32 and left overs from Symantec). Since ESET does not appear to be properly installed anymore nor Symantec, we will remove there leftovers.

You also have PestPatrol AntiSpyware (from your ISP) and CounterSpy running which also not a good idea. Your PC must be running rather slowly with all these duplicated security programs installed.

Now please run the below then reboot. After reboot run it one more time.

Norton Removal Tool (SymNRT)

If ESET NOD32 appears in Add/Remove programs uninstall it since the below instructions are going to forcefully remove it anyway.

Also uninstall CounterSpy to avoid the conflicts with PestPatrol that you have from your Verizon Security Suite.

Now goto Control Panel -> User Accounts, and delete the Help Assistant account that came from the MBR infection.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.
Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Administrator\Local Settings\TEMP
Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

We will remove the Verizon stuff and ESET now to cleanup the effects of having all of these conflicting security programs installed. We will also remove some other unnecessary items (non-malware) that are wasting resource.

Did you run the Norton Removal Tool as requested last time? If not, make sure you run it right now before continuing. If you did run it last time then just continue.

I suggest that you uninstall the below two registry cleaner tools that you don't need and should avoid using unless instructed by an expert to do something specific with tools like this:
Eusing Free Registry Cleaner
RegCure

Now also uninstall Startup Manager which you really should not use as stated in the READ & RUN ME.

Now click Start, Run and copy and paste the below into the Run box and click OK.

C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{40ACEAF4-1EB2-45FC-90C3-6810700C0595}

If this runs, it should uninstall the Verizon PC Security Checkup software.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab

After clicking Fix, exit HJT.


Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

If it was malware, we would have told you to uninstall it. Eveything else is something you or someone else installed and may use. You need to check these out yourself. Google can helo. Otherwise post questions in the Software Forum for non-malware topics.

No! It's gone now.

Protection is covered in final instructions. If you are going to purchase an antivirus then I would suggest it rather than AVG since AVG has become too much of a resource hog for my liking.

Post in the Software Forum for non-malware items. You may need to reinstall and then uninstall.

Since we are finished you can do what you want after completing final instructions below. Note: While FireFox is still a useful browser to have, it actually has more vulnerabilities then current versions of Internet Explorer. The old statements like "use FireFox because it is safer" or "it will protect you" are not true anymore since malware attacks it since it is so popular now. See the below:

http://news.cnet.com/8301-27080_3-10417785-245.html?tag=rtcol;pop

Part of final instructions. There is no SP4 .....yet.


Your logs are clean but you should delete the below left over folders:
C:\Documents and Settings\Jeffrey and Alisa\Application Data\ESET
C:\Documents and Settings\All Users\Application Data\RegCure
C:\Program Files\Eusing Free Registry Cleaner


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!