Questions about following "Read me first"

I got attacked by the Win32.NetSky virus a few days ago and have carried out all the steps in your "read me first malware removal" forum down to the install these tool part. I already have Super-Anti Spyware and Malwarebytes installed, updated and ran scans with them the day after I was infected. In fact the Malwarebytes found some 19 infected files and registry items. My questions are these: 1. You say not to have these scanning programs in My Documents. That is where they both are, so how do I move them and where to? 2. You say to rename the file mbam.setup.exe to mb.exe. I cannot find this file using start then search and typing in that file name. How do I find it? 3. You say to skip the downloading of Combofix if I have a 64bit version of Windows. How do I find out if I have a 64bit version? As you have probably guessed I am not very computer savy, so any help will be appreciated. I don't have any more popups coming up but since being infected, everytime I go online, pages begin to freeze up and not load quickly. I want to be sure my machine is clean. I have also ran scans with Window's Defender (now removed par you instructions), AVG, Spy Hunter(also removed), and Microsoft's Malicious spyware removal tool (used from their site, not downloaded). Thank You

 

How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system

If you let the software install to it's default location then you are fine. You only need to rename it if it will not run.

 

Ok, I followed the link you had and found out I have a 32 bit version of XP home. I always let downloads go to the default location and CCleaner will work so I don't guess the folder needs to be renamed. That 2 questions down, Thank You. What about moving the Malwarebytes and Super-anti Spyware out of "MY Documents" How do I do that and where should they be placed?

 

Have you already scanned with them? If so please attach the logs along with the other scans from RootRepeal and MGtools.

If not. Do they show in Add or Remove Programs? If so uninstall them from there and then reinstall them letting them install to their default locations which will be C:\Windows\System32

Note: DO NOT run ComboFix!

 

I first scanned with AVG and it found no problems except cookies and took over 4 hours to complete. Next morning I ran Super-anti and it found two infected files but the problem remained. Next I ran Malwarebytes and it found 19 infected files and registry items. Both of those logs are attached. I have tried downloading RootRepeal and keep getting a message that the due to the bandwidth use and number of views it is unavailable now. I did a MGtools scan and it is attached. The Super-anti and Malwarebytes are both in C/Programs not Documents/Settings. Should I still uninstall them and reload them?

 

They are in the right place so don't worry about them.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

• R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
• O4 - Global Startup: SystemExplorerDisabled
• O9 - Extra button: (no name) - {DF96BA30-57F6-4700-8065-910EC3BE9E3B} - (no file)

After clicking Fix checked, exit HijackThis.



Download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code:

Comment:

 Files to delete:
C:\WINDOWS\system32\11478.exe
C:\WINDOWS\system32\15724.exe
C:\WINDOWS\system32\18467.exe
C:\WINDOWS\system32\19169.exe
C:\WINDOWS\system32\24464.exe
C:\WINDOWS\system32\26500.exe
C:\WINDOWS\system32\26962.exe
C:\WINDOWS\system32\29358.exe
C:\WINDOWS\system32\6334.exe

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Add the Avenger log in your next post.



Scan your computer with Panda ActiveScan

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.

 

Here are the logs from the Panda scan and the Avenger scan. Do you want to keep working on this tonight? I don't mind but it is up to you.

 

No logs.

 

Let's try that again. I opened both files on my desktop and they both contain information. Under this message box in the attach files it shows both files.

 

Looks good. Is the computer running okay now?

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. Any other miscellaneous tools we may have had you install or download like The Avenger can be uninstalled and deleted.
4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
5. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Go to add/remove programs and uninstall HijackThis.
7. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
8. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work through the below link:
   • How to Protect yourself from malware!

Be sure to reset your System Restore points to remove the old infected files.

Disable/Enable the System Restore Utility to flush old infected restore points

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.

 

OK, I removed all my restore points, although the choice on the System restore tab was did not say "all drives". It simply said "turn off system restore". I rebooted and set a new restore point and named it. I read through the protect yourself from malware and did the adjust Active X security settings up to the last two on the list. There was no "Navigate subframes across different domains" listed only a "Navigate windows and frames across diff. domains" I set it as prompted. There was not any "Allow paste operations" only: "Allow programmatic clipboard access" and "Allow status bar updates via script". I did not change either of them. I am in the process of disabling Autorun now. Just did the windows update and rebooted. Thanks for all your help. I hope this has done the trick. I don't want to be spreading any virus around.

 

Your welcome. Let us know if anything else comes up.

Safe surfing...

 

Well I got back on the web today and I am still having the problem with freeze ups and pages not loading. It only happens when I am on the web using either IE or Mozilla Foxfire. The sites I have gone to are trusted sites, ehow.com, ebay.com, that usually work well for me. It is different each time I go to a site, with the same page sometimes opening quickly with no problems and then another time it will freeze and not fully load. I have tried refreshing the pages and using the back button with mixed results. I have five minutes for a page to load with no luck.

 

For a slow computer/browser see here. Basic computer maintenance everyone should do

If you are not having malware issues (we cleared your logs) then you will need to address any other issues in the Software forum.