Not confident I'm QUITE clean

Discussion in 'Malware Help (A Specialist Will Reply)' started by gfay63, May 24, 2009.

  1. gfay63

    gfay63 Private E-2

    Hi,

    Two weeks ago, this PC started having major Malware problems. According to my son, it started with a page in Craig's list. Unfortunately, I don't have details. By the time I got to it, major problems with pop-ups, slowness, etc. I ran through the full "READ & RUN ME" Process. It amazingly "seemed" to fix everything for a week+. But started getting pop-ups last night.

    Immediately re-ran the full "READ & RUN ME" Process, and seems something odd kept getting caught in each stem in the process, but each tool...something re: the "c:\Windows\system32" directory...not even a file? In any case, not at all confident I am really clean, although it "seems" OK.

    All logs requested are attached. Note there is a SASLog1.txt; I ran SAS without some of the check-boxes (though it found a bunch), so re-ran it correctly. The system would not let me upload SASLog2.txt, but the text is appended below showing it found nothing.

    Thanks much (in advance)!!

    Greg

    - - - - SASLog2.txt (See uploads for the main 4 log files you want) - - - -

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 05/24/2009 at 10:48 AM

    Application Version : 4.26.1002

    Core Rules Database Version : 3908
    Trace Rules Database Version: 1853

    Scan type : Complete Scan
    Total Scan Time : 00:46:44

    Memory items scanned : 519
    Memory threats detected : 0
    Registry items scanned : 6895
    Registry threats detected : 0
    File items scanned : 28770
    File threats detected : 0
     

    Attached Files:

    gfay63, May 24, 2009
    #1
  2. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to MajorGeeks!

    I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Our queue is working the oldest threads first.

    Thanks for your patience.
    dr.m
     
    dr.moriarty, May 25, 2009
    #2
  3. gfay63

    gfay63 Private E-2

    Hello...any luck yet seeing if I'm really clean?

    Thanks much,
    Greg
     
    gfay63, Jun 6, 2009
    #3
  4. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, gfay63


    The below fixes are specific to your problem and should only be used for issue(s) on this machine. Also, please do not install any other software while we are still working with you unless instructed. Once we have given you the all clean and final instructions you will be free to install what you want.

    *Comment: Giving all users of this pc "Adminstrator Accounts" is bound to lead to problems.

    Step 1:
    Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed
    Step 2:
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix, exit HJT.

    Step 3:
    Now we need to use ComboFix to remove some malware.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    
Driver:
5e712c20

File::
c:\docume~1\Jack\LOCALS~1\Temp\_A00F29841C.exe
c:\docume~1\Jack\LOCALS~1\Temp\_A00F3104F3.exe
c:\docume~1\Jack\LOCALS~1\Temp\_A00F403AB0.exe
c:\docume~1\Jack\LOCALS~1\Temp\_A00F480CB3.exe
c:\docume~1\Jack\LOCALS~1\Temp\_A00F4F633E.exe
c:\docume~1\Jack\LOCALS~1\Temp\_A00F5981B2.exe
c:\docume~1\Jack\LOCALS~1\Temp\_A00F5E9E0B.exe
c:\windows\TEMP\_A00FA46C923.exe
c:\windows\TEMP\exs5j9mv.exe
c:\windows\system32\BIT4F.tmp
c:\windows\system32\BIT28D.tmp
c:\windows\ld08.exe
C:\WINDOWS\PEV.exe
C:\p2hhr.bat
c:\windows\TEMP\exs5j9mv.exe
c:\windows\system32\zayehati.dll
C:\Program Files\Mozilla Firefox\extensions\{016EE665-E497-477C-B8C8-88523D5FDD24}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{01866DCE-8836-45D9-BBAF-784E161ACDED}\chrome\content\overlay.xul  
C:\Program Files\Mozilla Firefox\extensions\{07E065B0-BAD2-46D2-B6D3-D4DC1EB2B941}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{1066884E-CC54-4FEE-B4DF-AC9210E760B1}\chrome\content\overlay.xul 
C:\Program Files\Mozilla Firefox\extensions\{1F29F989-0ADF-45C6-9517-EC62337B68E8}\chrome\content\overlay.xul 
C:\Program Files\Mozilla Firefox\extensions\{25669442-CEBC-47DD-A97D-4AA87BFF787B}\chrome\content\overlay.xul 
C:\Program Files\Mozilla Firefox\extensions\{2BD49515-C056-41D5-B663-CA5864F311C8}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{2C409535-84CA-4745-B573-D1EACA6F253D}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{2EEA866F-7A9C-48F3-AB9D-3CFB812D77A3}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{31AB2436-5F1C-4A53-90A2-2C7CA965F4D1}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{35AA22A3-F0A9-44FB-BBD8-849C238D4740}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{40210699-E4C2-4A8E-8892-6AE48DE62FE1}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{422B7C49-10EC-4A56-A15B-2FE7B78E8BC7}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{4C89EA4E-5183-4C3A-8B79-E01BDD291635}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{52F5F62F-E199-4424-8996-7A302D09069D}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{54D4CCB1-DCB3-43CF-A4E3-3F91C3CC62E4}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{5B9CF4F5-53D6-4351-B0ED-BD078101A200}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{5DC397D5-9989-4271-BE05-BDE50EE6EF22}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{75F7EB4A-2AC1-46B1-87E9-F127ADE29767}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{76C11423-82C4-43C2-B34E-CEF96F6454D0}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{7FAC57B5-8C7F-4BE4-9E33-C9925766B5BB}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{8A29E3A4-7B20-444C-986A-F87D02AAA244}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{9B67BC4C-206E-4AEC-853D-677990E32BCA}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{9BCD6172-2F2D-4FAC-BB08-CCB5B1FB57DC}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{9EA33A4D-850F-4772-9237-238F16229AE8}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{A3021146-F5E3-4CB3-ABBC-29F719048513}\chrome\content\overlay.xul  
C:\Program Files\Mozilla Firefox\extensions\{A50E2DE2-B7FA-4229-BE47-8DCA872113BB}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{AE603EBF-3522-402D-B57D-78916A630304}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{AF136746-E745-4F69-B42A-BE5331C85D16}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{BD5C8526-FE5A-44BB-80B7-E34885CA9D1A}\chrome\content\overlay.xul  
C:\Program Files\Mozilla Firefox\extensions\{C3F134F4-E484-4CCD-924F-EB1A5B1E8588}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{C7C26CEC-D1AD-497A-BF6E-B5E6AEF2162D}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{C87863E7-DC00-4A47-8680-715EE1E7A232}\chrome\content\overlay.xul 
C:\Program Files\Mozilla Firefox\extensions\{CC92E052-DEF1-40A5-B9D8-2F21EB5F5E0F}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{D11A3092-0037-421C-A725-C546A8FC86DE}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{D1F67CBB-D29E-4268-98AD-60062B4696E4}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{DB62BC1F-6D5F-4F69-8A88-765ED4EEF83A}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{E023C152-CD59-4AC1-BC25-1B00AD606820}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{E213B9D3-A099-46CB-9FE8-B753AFA77620}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{E6129E56-0AB8-445E-B31C-80235A675A2C}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{E89C3D91-5626-44AD-80B3-D7D1E7118AD8}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{E95C9BA4-40DE-4959-8CF1-E8A6AB21BEC7}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{F10789AF-CA55-4393-87DF-BC32B478C479}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{F7C61A1C-5586-4DD4-B740-FE7BB06736EF}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{FAF8BDF7-19E0-4A60-B55C-BEAA3081A67F}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{FE8D8D4B-DFD3-4892-B0A7-1DB02A7318B5}\chrome\content\overlay.xul   

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"C:\WINDOWS\system32\zayehati.dll"=-
"c:\windows\system32\exs5j9mv.exe"=-
"c:\windows\ld08.exe"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
      If it asks you to overide the previous file with the same name, click YES.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Step 4:
    Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!


    Step 5:
    Now go to this link MGTools and download the new version of MGtools....overwrite your previous MGtools.exe file with this one.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

    Then attach the below logs to your next reply:
    • C:\MGlogs.zip
    • C:\combofix.txt

    Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!

    dr.m
     
    dr.moriarty, Jun 7, 2009
    #4
  5. gfay63

    gfay63 Private E-2

    I somehow missed the e-mail in the inbox that you'd replied, so a delay here.

    In any case, the process ran great. Attached are the log files. All seems to be well.

    Thanks you VERY much.

    Regards,
    Greg
     

    Attached Files:

    gfay63, Jul 30, 2009
    #5
  6. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, gfay!

    I'm glad to hear your pc is running well! The bad news - I need you to update the following tools and attach new logs so I can see the current state of your pc, since it has been 52 days since I posted my fix.
    • SUPERAntiSpyware <--- Uninstall your old version/run Cleaner/ download the latest version found here. Remember to update its definitions database before running it.
    • Malwarebytes Anti-Malware <--- Open MBAM /click on the "Update" tab and update to v.1.39, database is 2529 at this moment.
    • ComboFix <--- Delete the combofix.exe file that is currently on your Desktop. Then download and save to your Desktop a new version from here: combofix.exe
      • If ComboFix.exe is not on your Desktop, the below will not work.
      • Also make sure you have shut down all protection software (antivirus, antispyware, *firewall*, ...etc) or they may get in the way of allowing ComboFix to run properly.
      Please carefully follow the instructions in the below link to most effectively run ComboFix.
      http://www.bleepingcomputer.com/combofix/how-to-use-combofix
    • MGTools.exe
      • Now go to this link MGTools and download the new version of MGtools....overwrite your previous MGtools.exe file with this one.
      • Then run the C:\MGtools\GetLogs.bat file by double clicking on it.
    Please attach the below logs to your next reply:
    • SASlog.txt
    • Malwarebytes Anti-Malware log
    • ComboFix.txt (normally C:\ComboFix.txt)
    • MGlogs.zip

    Please perform these scans and reply with the requested logs in a timely manner!

    dr.m
     
    Last edited: Jul 30, 2009
    dr.moriarty, Jul 30, 2009
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds