RE: Read and Run Me Guide

Skip that step...just continue on and get us the logs for:
SAS
MBAM
ComboFix
C:\MGLogs.zip

 

I need the entire C:\MGLogs.zip.

 

I am not in front of a W2K machine so bear with me. There are a number of items I have questions about and would like some additional info.

Use windows explorer to find and then right click each of these items and select properties....tell me the creation date:
C:\Glenyx
C:\WINDOWS\system32\50170B
C:\WINDOWS\system32\D71ACF
C:\WINDOWS\system32\E6AD0D
C:\WINDOWS\SysWOW64\wezuzavu

I also want you to download and run both CCleaner and ATF Cleaner by Atribune.

This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

 

Hummm...that is not what the log indicates:

Delete them as well as the wezazu file.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file and tell me what issues you are having.

 

Removing history in FF maybe the reason for that....however, lets do this first:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day):
C:\Documents and Settings\Administrator\Local Settings\TEMP\

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

 

downloading a tool we will need -

Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HJT

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the

below, if some files do not show in the list after pasting them in, just continue.

Select:

* Delete on Reboot
* then Click on the All Files button.*(or on the folders option)*
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

(or, after highlighting, right-click and choose copy):

* Return to Killbox, go to the Folder menu, and choose Paste from Clipboard.
* Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if

you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Get me the new MGLogs.zip

 

Killbox is not showing that it removed anything. And the logs show it is all still there.

The registry fix seemed to have stopped them from loading, so do a search for each of these in safe mode and see if you can delete them:
C:\WINDOWS\system32\50170B
C:\WINDOWS\system32\D71ACF
C:\WINDOWS\system32\E6AD0D

 

You reboot your computer and immediately start hitting F8 ...you will then have the option to start in safe mode .....

 

I have no idea what your syswow64 folder is....but I suggest you remove them also.

 

It just dawned on me that you are running a W2003 server?

If you did manage to remove those files, then just let me know if you have any additional problems before I give you the final cleanup. You can re-run both MBAM and SAS to see if anything shows up.

 

Sweet....If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   • Delete the C:\combofix folder from combofix (if it exists)
   
   
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
7. If you are running Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
8. After doing the above, you should work thru the below link:
   
   • How to Protect yourself from malware!
   
   

 

You are quite welcome.....safe surfing.