Malwarebytes & Avira frozen after finding virus

Discussion in 'Malware Help (A Specialist Will Reply)' started by MNMP2, Dec 27, 2012.

  1. MNMP2

    MNMP2 Private E-2

    Wife's computer running Vista Home Premium Sp2.

    She clicked on an e-mail that was a fake Fed Ex delivery notice of some kind. I ran Malwarebytes and it found a couple files which I allowed it to fix. A few days later we get another problem.

    Avira notifies of a bad file found on the background scan and we hit "remove" on that. Another one comes up right away and we do the same.

    Decide to run MB again but this time it freezes up after about 4-6 seconds. Tried in safe mode too but same deal.

    Avira now frozen as well.


    Uninstalled both and went to Run & Read me and Vista scan instructions.

    After re-installing MB in the steps I get same result. Frozen into a few second into a scan.

    Looks like RogueKiller found a few things but looks like the rest didn't. I am attaching logs.

    Thanks!
     

    Attached Files:

    MNMP2, Dec 27, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The only things that stand out are the below startup processes

    O4 - HKCU\..\Run: [usdhem] ,_Concat
    O4 - HKCU\..\Run: [rynlsf] ,memset_check

    Do you have any idea what these are? Based on the way they are named, I expect them to be malware.
     
    chaslang, Dec 28, 2012
    #2
  3. MNMP2

    MNMP2 Private E-2

    I have no idea what those two are. Looked suspicious to me as well. When I disabled them in Ccleaner startup and rebooted, I was able to run Malwarebytes then. It didn't detect anything though.

    What do I do to get rid of those? Should I let RogueKiller delete the files it found?
     
    MNMP2, Dec 28, 2012
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It did not find anything.

    Do not use CCleaner to control startups. It makes use of MSconfig registry keys which is strongly not recommended as those registry keys belong to Microsoft Windows for MSConfig. The do not belong to Piriform or any other company ( like Glary Utilities...etc). Undo this and the run the next fix I will be posting shortly.
     
    chaslang, Dec 28, 2012
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the below software:
    Java(TM) 6 Update 23
    Viewpoint Media Player

    Now install the current version of Sun Java from: Sun Java Runtime Environment


    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Windows\tasks\Norton Internet Security - Run Full System Scan - Michele.job
 
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"usdhem"=-
"rynlsf"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"HP Software Update"=-
"QuickTime Task"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"HP Software Update"=-
"QuickTime Task"=-
[HKEY_USERS\S-1-5-21-3092425743-2039710276-1654101885-1000\Software\Microsoft\Windows\CurrentVersion\run]
"usdhem"=-
"rynlsf"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{3F2DAD7A-082F-485F-8213-7B7AE5CF2BA2}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3F2DAD7A-082F-485F-8213-7B7AE5CF2BA2}]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 28, 2012
    #5
  6. MNMP2

    MNMP2 Private E-2

    Attached are the logs. Followed your instructions exactly.

    I'm a little worried as i got a redirect on the first search I did after all this was done. Using Firefox and the home page is MSN so I did a search on the Bing toolbar and when I clicked the link (ESPN) it redirected. Closed the tab and tried a few more searches and didnt have a problem with subsequent searches.

    I don't have any protection on this machine right now so I am going to load up norton 360 now. I have an account with them and have it on my laptop so I think I will put it on this one too.

    Let me know if you think I should do anything else.
     

    Attached Files:

    MNMP2, Dec 28, 2012
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you find that you still have problems with Firefox being redirected then run the below:

    Reset Firefox to Defaults

    Let me know your status. If all is good, I will post final instructions.
     
    chaslang, Dec 28, 2012
    #7
  8. MNMP2

    MNMP2 Private E-2

    This morning did a Bing search and was redirected after clicking one of the results. Went ahead and did the Firefox reset and at this point it seems to be fixed - no redirects after quite a few searches.

    I guess we can move to next/final steps?
     
    MNMP2, Dec 29, 2012
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Excellent.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Dec 29, 2012
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds