Malware?

princesslisa · Mar 10, 2009

I recently upgraded AVG free 8.0 to 8.5. I wasn't able to open IE7 so I did some checking and a device driver package from microsoft for network was installed so I did a system restore. Awhile back I decided to check out muvee producer 5.0 preinstalled on my system. I created a default or example set up in the program. I ran AVG scan before shutting down sys and it found and quarantined Backdoor.Prorat!ct. It caused muvee producer 5 to stop working. I uninstalled muvee and then used the HP recovery manager to reinstall muvee 5.0 and avg quarantined again. I emailed muvee producer maker and got an email back from them and a link to reinstall. The first instruction was to uninstall the old so I navigated to the programs and features to uninstall and got an error that installshield has stopped working. I restarted and tried again to no avail. I called HP and they told me to do a recovery which is a start over. Suggested may be virus so I decided to use your cleaning instructions. Oh, I forgot to mention I went to the hidden Installshield folder and found setup file. Double clicked and the install shield reinstalled HD audio driver, no error for the install shield. I ran all scans and came up clean. Superantispyware 0 infections. Malwarebytes, etc. I will attach the logs for all. Thanks

princesslisa · Mar 11, 2009

I found Revo Uninstaller and removed the old install of Muvee Producer 5.0. It is a great alternate option to windows uninstaller, it removes registry entries, files and folders. I really don't think that I am infected, I posted just to be almost positive.

dr.moriarty · Mar 14, 2009

Hello, princesslisa

We are currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Our queue is working the oldest threads first.

*In the meantime - please attach the SAS log.

Thanks for your patience.
dr.m

princesslisa · Mar 15, 2009

Thanks for the reply. The AVG 8.5 problem with IE7 had to do with Vista's UAC and AVG. It has been corrected by AVG. Anyway, thank you and I will wait for your reply.

dr.moriarty · Mar 17, 2009

Hello, princesslisa

The below fixes are specific to your problem and should only be used for issue(s) on this machine. Also, please do not install any other software while we are still working with you unless instructed. Once we have given you the all clean and final instructions you will be free to install what you want.

I strongly recommend that you clean up your Desktop immediately leaving only links. Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least it can have an effect on your PCs performance.

Question: Is your copy of Spyware Doctor a paid copy or a free trial?

Having Spyware Doctor running with AVG and also Threatfire could be a bit of a resource issue. Also, since AVG has built-in spyware protection there could be conflicts with Spyware Doctor.
Click to expand...

Step 2:
Using Windows Explorer - navigate to and delete the following:

C:\0e7af92bd1b2ce6a8c232e85f4ddfa
C:\Users\Lisa\AppData\Local\Temp\DWD5B7C.tmp
C:\Users\Lisa\AppData\Local\Temp\DWD80AD.tmp
C:\Users\Lisa\AppData\Local\Temp\DWDECEE.tmp
C:\Users\Lisa\AppData\Local\Temp\is-5PLJL.tmp
C:\Users\Lisa\AppData\Local\Temp\is-6QMHB.tmp
C:\Users\Lisa\AppData\Local\Temp\is-E1OVI.tmp
C:\Users\Lisa\AppData\Local\Temp\is-FM7H3.tmp
C:\Users\Lisa\AppData\Local\Temp\is-IMK7T.tmp
C:\Users\Lisa\AppData\Local\Temp\is-L8C62.tmp
C:\Users\Lisa\AppData\Local\Temp\isp4A78.tmp
C:\Users\Lisa\AppData\Local\Temp\FF398E41-313C-414E-8E7C-DB17695C4BC8
C:\Users\Lisa\AppData\Local\Temp\~DFACBC.tmp
Click to expand...

Step 2:
Run Ccleaner

Step 3:
Go to this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Then attach the below logs to your next reply:

C:\MGlogs.zip

Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!

dr.m

princesslisa · Mar 18, 2009

I followed the instructions in your post and deleted the files except for (C:\Users\Lisa\AppData\Local\Temp\~DFACBC.tmp), I couldnt locate it. Spyware Doctor is paid version. Here is the attached file.

princesslisa · Mar 18, 2009

Oh, I didn't have any errors or problems running or using MGTools. My computer seems to be fine. I will wait for a response. Thank You.

dr.moriarty · Mar 18, 2009

You're Welcome!

Your logs look good! If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (=This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

If we had you run Avenger, you can delete all files related to Avenger now.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware

Click to expand...

Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif

princesslisa · Mar 18, 2009

Thank you so much for the help. So, did I have malware and if so, what was it? The files I deleted were those also malware?

dr.moriarty · Mar 19, 2009

princesslisa said: ↑

Thank you so much for the help. So, did I have malware and if so, what was it? The files I deleted were those also malware?
Click to expand...

Hi, princesslisa -

You're most welcome!

It was mostly junk temporary files.. but there was a suspect unknown with no info found on the entire net concerning it --- which usually means its malware.

dr.m

Log in or Sign up

Malware?

princesslisa Private E-2

Attached Files:

mbam-log-2009-03-10 (18-28-40).txt

combofix log.txt

MGlogs.zip

princesslisa Private E-2

dr.moriarty Malware Super Sleuth Staff Member

princesslisa Private E-2

Attached Files:

SUPERAntiSpyware Scan Log - 03-10-2009 - 17-56-06.log

dr.moriarty Malware Super Sleuth Staff Member

princesslisa Private E-2

Attached Files:

MGlogs.zip

princesslisa Private E-2

dr.moriarty Malware Super Sleuth Staff Member

princesslisa Private E-2

dr.moriarty Malware Super Sleuth Staff Member