query - Dr. Guarder and special removal procedures?

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

Have you tried running what scans you can in safe mode if normal mode is proving difficult/impossible?

If push comes to shove, just make sure you have the tools in the correct location as specified in the R&R, then at the very least rename combofix to kestrel.com and rename MGTools.exe to 123.com, THEN see if they will run. If you are still having difficulty then try this out:



Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Administrator

You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

1. Rkill.exe
2. Rkill.com
3. Rkill.scr
4. Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.


Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then double click on it to run it.

AVPFind.bat

It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running. (See: HOW TO: Attach Items To Your Post )


Now download and Run exeHelper

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• A log file named log.txt will be created in the directory where you ran exeHelper.com
• Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Also please try running the below online scan:

http://www.superantispyware.com/onlinescan.html

Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. See if you can save a log with it.


Then try running these instructions: Using MGtools


Attach the below logs when finished with all of the above:

• C:\avplog.txt - from AVPfind
• a log from online SAS scan if you could make one
• log.txt - from exeHelper
• C:\MGlogs.zip - from MGtools

The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.

 

Hopefully you are okay now, and I should have noticed before from your first post, however:

 

Well this is the problem you see, your boss wanted to do one thing and I wanted you to follow my instructions. Bear with me while I confer with a colleague.

 

Then attach the log from MBAM and the log from exe helper and from AVPfind
Also download and run combofix as per the instructions in the R&R. Attach the log it creates ---> C:\combofix.txt
Then do the same for MGTools and attach the log from running it ---> C:\Mglogs.zip

 

1. AVG 8.5 <--- Is now out of date, you can either upgrade to version 9 or switch to another AV.

2. There has been an update to Malware Bytes since you were last here so now in normal mode if possible and not safe mode, I would like for you to open up the program > update > re-scan > fix all it finds > and attach the log it creates into your next reply here.

3. I see SUPERantispyware was run on 23rd march, the log is retrievable here, I would like for you to also attach that.

4. You did not run combofix, you ran SDFix. Combofix is on your desktop and I will instruct you to run it again further down.

5. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

6. Now download The Avenger by Swandog469, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

7. Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

8. Please go to Add/Remove programs and uninstall the following software:

1. J2SE Runtime Environment 5.0 Update 6
2. Java(TM) 6 Update 3
3. Java(TM) 6 Update 5
4. Java(TM) 6 Update 7

9. Now reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

10. Now I want you to run combofix as per the instructions in the Read and Run Me First Procedures.

11. Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

12. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!