Ran all programs for XP Clean

Discussion in 'Malware Help (A Specialist Will Reply)' started by mamabear0604, Apr 7, 2010.

  1. mamabear0604

    mamabear0604 Private E-2

    I performed all items for the XP Clean. I want to be sure that I have got everything. Can someone review the logs for me. I have also included a hijack this report from before the cleaning process and one for after. You will notice that there are 2 malwarebytes logs one was ran during the cleaning process and one was ran after.
     

    Attached Files:

    mamabear0604, Apr 7, 2010
    #1
  2. mamabear0604

    mamabear0604 Private E-2

    the rest of the logs
     

    Attached Files:

    mamabear0604, Apr 7, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's start with this:

    First please put ComboFix directly on your desktop, not here:
    Running from: c:\documents and settings\Compaq_Administrator\Desktop\Downloads\ComboFix.exe

    What is this> c:\documents and settings\Compaq_Administrator\mm.exe --> if you know, remove it from the Combo fix.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
c:\documents and settings\Compaq_Administrator\mm.exe 
c:\documents and settings\Compaq_Administrator\Application Data\msplyi4d\msplyi4d.exe
c:\documents and settings\Compaq_Administrator\msplyi4d.exe
c:\windows\system32\iihihe.dll

Folder::
c:\documents and settings\Compaq_Administrator\Application Data\msplyi4d

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msplyi4d"=-
"awwvspdrv"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"efdeefdrv"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"awuvwudrv"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 8, 2010
    #3
  4. mamabear0604

    mamabear0604 Private E-2

    I was able to boot the computer with out the rundll errors. I also do not see any funny dll names in my registry any more. Nor do I see them in my task manager. Before there were several in my task manager, just as soon as I killed them they opened back up. I knew that the funny dlls were a part of something bad but did not know what. They had random letters, I had thought about just deleting them from my registry, but was afraid that would not fix the problem, and they might multiply. As I read on one of the forums, that this was possible. Altho I do not know enough to fix it all myself, Im smart enough to know that the dlls were not part of something I should have. My computer wasnt running super slow, a little lagging, but what clued me in was all the dlls in task manager, then when I could not get malwarebytes to run then I knew there was something terribly wrong. I have used malwarebytes on my computer for a long time now, and believe it is an awesome program to have. Unfortunately I do not remember to run it as often as I should. I never even thought about changing the name to work around the virus. Another thing I tried was the microsoft malware removal tool, but whatever it was blocking malwarebytes was also blocking that. I have renamed malwarebytes back to its original name and tried running it, it now pops up to run, as well as the microsoft malware removal tool.

    As for the mm.exe file you asked about, it says it is I-Q Manager, not something that I have downloaded or at least had knowledge of downloading. I know that once, I was able to run mbam and the cleaning process, it popped up in my task bar in the bottom right. There was an icon there I didnt recognize, so i clicked it to see what it was. It popped up a screen saying something about copyrights and would not allow you to X out of it. I was able to however, kill it via task manager and found it in my add and remove programs. I was able to uninstall it that way.

    At any rate I have attached the logs you asked for. I appreciate all of your help. If you see anything else that I should be concerned with, just let me know, and will gladly perform what step I need to get it fixed.

    Again I thank you for your help.
     

    Attached Files:

    mamabear0604, Apr 9, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know things are working again. There is one file left that you can find and delete using windows explorer:
    C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\MYhtd

    Otherwise your logs are clean.

    I strongly advise you to cleanup your Desktop. Remove everything but links to run programs. Do not download and save programs here and definitely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Apr 10, 2010
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds