Malware Removal

Ryfe · Jan 28, 2009

This is my brothers PC, so im not exactly sure what was going on at the time of infection. I do know that he was getting popups, and eventually, had an "anti-virus" program installed. It was something like "Defend 2009" or similar.

I directed him to the site and he started the cleaning process. When he got to the SAS scan, he said he "misread" the part about "unchecking" certain boxes. So he ran the scan with those 3 boxes checked and all others unchecked. (basically just reversed the directions) After the scan was complete the restart prompt came up, the computer hung up. From that point on it would blue screen on Windows start up. So I booted it in "Safe mode" and ran the scan again properly, which did seem to fix the problem.

That is why there are 2 SAS logs attached. The first is the one he ran with the settings reversed, and the second is the one i ran in safe mode with the proper settings.

Thanks in advance for you help,
Ryfe :major

Ryfe · Jan 28, 2009

Logs

Ryfe · Jan 28, 2009

Remember that log #1 used reversed settings and #2 used the proper settings, but was in safe mode.

TimW · Jan 29, 2009

Please use windows explorer to find and delete:
i:\documents and settings\Jacob\Application Data\MalwareRemovalBot
i:\windows\SmFjb2IgQ2FsZHdlbGw
i:\program files\MalwareRemovalBot
i:\windows\Tasks\sxjgevkb.job
i:\windows\system32\geBurPHX.dll

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file and re-run COmboFix and attach that log as well.

Ryfe · Oct 6, 2009

Alright... I had to go out of town on business so I did not have a chance to follow through with the Malware Removal. The computer has since been reinfected. I believe the "spyware removal software" that it installed is called "Total Protection ver. 4.54". The infection is now blocking any and all programs (sans windows explorer) from opening. I can not redo the scans because the programs will not open. Please tell me how to proceed.

Thanks again,
Ryfe

TimW · Oct 10, 2009

Please try doing the below:

Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.

AVPFind.bat

It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running.

Now download and Run exeHelper

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Also please try running the below online scan:

http://www.superantispyware.com/onlinescan.html

Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. It does not save a log.

Then try running these instructions: Using MGtools

Attach the below logs when finished with all of the above:

C:\avplog.txt - from AVPfind

log.txt - from exeHelper

C:\MGlogs.zip - from MGtools

The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.

Log in or Sign up

Malware Removal

Ryfe Private E-2

Ryfe Private E-2

Attached Files:

ComboFix Log.txt

mbam-log.txt

MGlogs.zip

Ryfe Private E-2

Attached Files:

SASlog 1.txt

SASlog 2.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Ryfe Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member