malware removal review

Discussion in 'Malware Help (A Specialist Will Reply)' started by Rapitharian, Jan 3, 2011.

  1. Rapitharian

    Rapitharian Private E-2

    I ran the steps in the Malware Removal FAQ.
    Attached are my logs.
    I could not get ComboFix to run so I skipped it. I came back after I was able to get SUPERAntiSpyWare and MalwareBytes to run under their normal names in normal startup, not safe mode, and it is still hanging the machine at "may easily double on badly infected machines." I left it run for several hours, no change the system was locked and required a hard reboot.
    This seems to be the last issue as all others show clean.
     

    Attached Files:

    Rapitharian, Jan 3, 2011
    #1
  2. Rapitharian

    Rapitharian Private E-2

    More Logs.
    Attached is the most recent Mbam log. the fist run was a quick scan this is a full.
    The Hijackthis log was created right before I attached it. making it the most current.
    Also I have disabled the system restore points, once most seemed fine. HJT has re-enabled them so they are currently on.

    All help is appreciated; as I can't figure out what my wife did to this machine.
    Other items of note: I removed all the windows live garbage and all the Java installs, I will reinstall once everything is back to normal.
    Origninal sysmptoms:
    Virus' found by NAV.
    Processor went to 100%
    Could not run any AntiSpyware apps under native names.

    Current state:
    NAV turned off.
    Processor normal
    Can run Antispyware under normal names
    Can't run Combofix. Hangs every time at "Badly infected machines may easily double." I never get the clock message.

    Thanks,
    Rap
     

    Attached Files:

    Rapitharian, Jan 3, 2011
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Looks like TDSSKiller took care of things. Let's continue on.

    Uninstall these outdated versions of Java.

    • J2SE Runtime Environment 5.0 Update 11
    • Java Auto Updater
    • Java(TM) 6 Update 18
    • Java(TM) 6 Update 3
    • Java(TM) SE Runtime Environment 6 Update 1

    What is this? C:\Program Files\101220108155100.bat <--- If you do not know then delete it.

    If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run TDSSkiller again and attach the log.

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Jan 3, 2011
    #3
  4. Rapitharian

    Rapitharian Private E-2

    Followed the above instructions.
    Removed Windows Messenger.
    Reran TDSSkiller
    Installed Java.

    This seems to be an uninstall batch for an app on the system. Contents of the file below.
    Code:
    :tryDelete
IF EXIST "C:\Program Files\Oberon Media\Sweet Tooth To Go" GOTO WaitAndTryAgain
	ping -n 2 localhost>NUL
for /f %%a in ('dir /b "C:\Program Files\Oberon Media"') do ( GOTO End )
:EmptyLabel
echo "EMPTY"
	rd /s /q "C:\Program Files\Oberon Media"
	IF EXIST "C:\Program Files\Oberon Media" GOTO WaitAndTryAgain
		GOTO End
:WaitAndTryAgain
	ping -n 2 localhost>NUL
	GOTO tryDelete
:End
Del /F /Q "C:\Program Files\101220108155100.bat"
    Logs attached.

    The behavior of the browser is normal and the popups and redirects have stopped.
    Thanks,
    Rap
     

    Attached Files:

    Rapitharian, Jan 3, 2011
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Excellent.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jan 3, 2011
    #5
  6. Rapitharian

    Rapitharian Private E-2

    Kestrel13!,
    Thanks for all your help. Cleanup complete.
    As a side note, Combofix still hangs the system when I run it, I have to do a hard reset once I run it.

    Again thanks.
    Rap
     
    Rapitharian, Jan 3, 2011
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Don't worry about Combofix. I could have had you rename it or try to run it in safe mode, but I see no reason to persevere with it.
     
    Kestrel13!, Jan 3, 2011
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds