Now what

mieyebo74 · Mar 23, 2010

Ok, followed instructions. Before I could even start, I kept getting this when I would try to open add/remove, or other exe files...C:\windows\system32\rundll32.exe.

Did some research, and downloaded xp_exe_fix. That seemed to fix a lot of problems. Haven't toggled system restore yet. Thought I'd wait until I got a clean bill of health. Here are the logs.

mieyebo74 · Mar 23, 2010

Re: Programs won't open

And....

mieyebo74 · Mar 23, 2010

I followed the steps for malware removal, saved the logs, haven't toggled restore point yet. Am waiting to hear back. I had posted in the wrong forum. please go to: http://forums.majorgeeks.com/showthread.php?t=212803. The logs and responses are there.

I am working from a different pc, which doesn't have the logs. Please post reply here. Thanks.

TimW · Mar 23, 2010

I have found and moved your posts. Give me a while to review them.

mieyebo74 · Mar 23, 2010

I looked for a way to do it myself to save you the hassle. I appreciate it.

TimW · Mar 23, 2010

Please double-click the RootRepeal.exe previously downloaded.

* Select File then Scan
* On the Select Drives form select drive C by "ticking" the box for drive C and click OK
* When the scan is complete - highlight each of the following file(s) (one at a time if more then one is listed) by left clicking it. Then use right mouse click and select the Wipe File option only for each file.
C:\Documents and Settings\Tiffany\Local Settings\Temp\1F.tmp
C:\Documents and Settings\Tiffany\Local Settings\Temp\20.tmp
* After Wiping all files, immediately reboot your pc!

Re-run RootRepeal and attach the new log.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

Make sure you tell me how things are working now!

TimW · Mar 23, 2010

I am doing 5 things at once...LOL.....so now, after you have done that, use windows explorer to find and delete:
C:\Documents and Settings\Tiffany\Local Settings\Temp\2f.tmp
C:\Documents and Settings\Tiffany\Local Settings\Application Data\2041221384.dll
C:\Documents and Settings\Tiffany\Local Settings\Application Data\Ogl6
C:\Documents and Settings\All Users\Application Data\Ogl6

Then move ComboFix directly to your desktop, not here:
Running from: c:\documents and settings\Tiffany\My Documents\Downloads\ComboFix.exe.

It should be here:
Running from: c:\documents and settings\Tiffany\Desktop\ComboFix.exe.

mieyebo74 · Mar 24, 2010

I ran RootRepeal, it appears the files you asked me to wipe were changed.

These files:
C:\Documents and Settings\Tiffany\Local Settings\Temp\1F.tmp
C:\Documents and Settings\Tiffany\Local Settings\Temp\20.tmp

Changed to:
C:\Documents and Settings\Tiffany\Local Settings\Temp\818.tmp
C:\Documents and Settings\Tiffany\Local Settings\Temp\819.tmp

818- could not find file on disk
819- only option was force delete

I will hold off moving forward until I hear back. Log is attached.

TimW · Mar 24, 2010

Your RootRepeal log is empty. Try running it again please. Also, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* RootRepeal log
* C:\MGlogs.zip

mieyebo74 · Mar 24, 2010

Sorry about that. I ran RootRepeal twice. First time:

Checked C:\ - came up empty
Checked C:\ & D: - came up empty

-Popup came up: Unrecognized partition type 6 (0x6), I think because I checked both. Otherwise nothing was ever found in scan of C:\. At the bottom it said initializing, please wait, and nothing.

Second time:

C:\ - Came up empty
Both- Said it found 4, but shows 2, which changed again. Both logs are attached.

Haven't gone any further. Haven't tried wiping them yet.

TimW · Mar 25, 2010

I don't know why the name is changing, but you need to let RootRepeal delete them. Let's do this again.

Please double-click the RootRepeal.exe previously downloaded.

* Select File then Scan
* On the Select Drives form select drive C by "ticking" the box for drive C and click OK
* When the scan is complete - highlight each of the following file(s) (one at a time if more then one is listed) by left clicking it. Then use right mouse click and select the Wipe File option only for each file.
C:\Documents and Settings\Tiffany\Local Settings\Temp\BD2.tmp
C:\Documents and Settings\Tiffany\Local Settings\Temp\BD3.tmp
* After Wiping all files, immediately reboot your pc!

If it shows other Temp files, include them as well!!

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
C:\Documents and Settings\Tiffany\Local Settings\Temp\be6.tmp
C:\Documents and Settings\Tiffany\Local Settings\Application Data\2041221384.dll
C:\Documents and Settings\Tiffany\Local Settings\Application Data\Ogl6
C:\Documents and Settings\All Users\Application Data\Ogl6

Folder::
C:\Documents and Settings\Tiffany\Local Settings\Application Data\Ogl6
C:\Documents and Settings\All Users\Application Data\Ogl6
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now re-run RootRepeal.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* RootRepeal log.
* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

mieyebo74 · Mar 29, 2010

I apologize for taking so long to reply, been busy all week.

I ran RootRepeal 4 times. twice before Combofix (didn't save log), and twice after. Only scanned C:\. Each intial scan came up empty. The second of each instance, came up with 2 files. All logs are attached.

TimW · Mar 30, 2010

I want you to run both SAS and MBAM on the other user account. Attach any log that shows malware.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
C:\Documents and Settings\Tiffany\Local Settings\temp\15.tmp
C:\Documents and Settings\Tiffany\Local Settings\temp\16.tmp
C:\Documents and Settings\Tiffany\Local Settings\temp\1c.tmp

Folder::
C:\Documents and Settings\Tiffany\Templates\Ogl6
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

Log in or Sign up

Now what

mieyebo74 Private E-2

Attached Files:

combofix.txt

mbam-log-2010-03-23 (00-20-17).txt

Rr.txt

SAS log - 03-22-2010 - 23-55-12.log

mieyebo74 Private E-2

Attached Files:

MGlogs.zip

mieyebo74 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

mieyebo74 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

mieyebo74 Private E-2

Attached Files:

RR2.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

mieyebo74 Private E-2

Attached Files:

RR3.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

mieyebo74 Private E-2

Attached Files:

Rr3.txt

Cfix.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member