Read and Run and XP Cleaner completed...

Discussion in 'Malware Help (A Specialist Will Reply)' started by MercuryGoddess, Aug 6, 2008.

  1. MercuryGoddess

    MercuryGoddess Private E-2

    My computer came under attack on July 30, 2008 when my husband tried to download Bit Torrent. Our licence had expired on our Avira AntiVir and had not been updated since April 2008. The initial attack was a plethera of fake antivirus popups and highjacking of Internet Explorer (reverting it to an older version and redirecting to random phisher sites).

    Somehow I was able to get around this and update Avira AntiVir. After running Avira's scan and deleting all detections, I was able to regain control of my browser and basic system use.

    However.... the detections of bad stuff (trojans, adware, ect) continued and were not being deleted. After a week of searching the web and trying various fixes suggested online (including using MSConfig), I eventually found this site. (I did a google search for removing WinCtrl32)

    I have completed READ & RUN as well as the XP Cleaner.
    I am not sure if my computer is fixed yet. I'm attaching the logs from Super AntiSpyware, Malwarebytes, Combofix, and MGtools.
    Can someone have a look at my logs and let me know if there is anything else I need to do? Thank you so much for all the help! The Read & Run walkthrough was so helpful and userfriendly. Many thanks to those responsible for putting this together!

    MercuryGoddess
     

    Attached Files:

    MercuryGoddess, Aug 6, 2008
    #1
  2. MercuryGoddess

    MercuryGoddess Private E-2

    MGtools log
     

    Attached Files:

    MercuryGoddess, Aug 6, 2008
    #2
  3. MercuryGoddess

    MercuryGoddess Private E-2

    UPDATE: Still infected with trojans

    My automatic daily Avira AntiVir scan just completed. There were 5 detections and 2 warnings.
    The two warnings were files that could not be opened.
    The five detections were all trojans.
    1 was called TR/Crypt.XDR.Gen and 4 of them were called TR/Trash.Gen.

    All of them were deleted but they are the same ones that keep comming back. All five were found in C:\System Volume Information\_restore{B644......

    I'm including my Avira AntiVir log.

    I'm wondering of I should toggle system restore now or not. Should I run any of the tools from "READ & RUN ME FIRST" again?
     

    Attached Files:

    MercuryGoddess, Aug 6, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The items in the system volume ( system restore ) will be removed when we toggle system restore at the end of your cleaning.

    If you haven't already, please disable the Guest account in User accounts.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\%username%\Local Settings\Temp

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, Aug 7, 2008
    #4
  5. MercuryGoddess

    MercuryGoddess Private E-2

    Thank you TimW!

    I followed the directions in your last post and I'm attaching the logs from Avenger and MGtools.

    My computer has two usernames/desktops. Both are administrator accounts and both are password protected. I have done all these fixes using only one user account except where specifically directed in the READ & RUN ME walkthough (CCleaner for all user accounts including Administrator in Safe Mode). I was wondering if all of these fixes (including the ones in READ & RUN ME..) automatically worked on all user accounts at the same time. Do I need to log onto the other user account and run anything again before finishing?

    So far, everything seems to be running so much better!! Thank you! :)
     

    Attached Files:

    Last edited: Aug 7, 2008
    MercuryGoddess, Aug 7, 2008
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Scans got rid of all of it...so let's do some clean up.

    (And yes, you should at least run MalwareBytes and SAS on the other account).

    Please disable the guest account in user accounts.

    acRun thisDisable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    Tell me what other issues you may have. :)
     
    TimW, Aug 7, 2008
    #6
  7. MercuryGoddess

    MercuryGoddess Private E-2

    Hi TimW

    I've run into a problem. First though...
    On my user account (the one I used for everything so far), I followed the directions in your last post. I removed Windows Messenger. Then I created the new fixMe.reg file from the info you gave and merged it with the registry. The merge was successful. Then I downloaded and ran the ATF Cleaner. Everything went smoothly.

    Then...
    I logged onto the other user account on my computer (my husbands) and ran SUPERAntiSpyware. It came up with 13 or 14 detections. Removal and reboot went well. Then I ran Malwarebytes Anti-Malware. That one found 6 items including a Vundo virus. I clicked to remove selected and saved the log. Then I decided to switch back to my user account inorder to post the logs but when my desktop was loading I got this popup error...

    svchost.exe-Application Error
    The insturction at "0x7c9105f8" referenced memory at "0x00000010". The memory could not be "read".
    Click OK to terminate the program
    Click CANCEL to debug the program

    I clicked "OK" and the error went away. But then I could not open anything. Not even START or taskmanager. I had to force a reboot. After reboot, I logged onto my husbands user account (trying to avoid the error message), but when the desktop loaded, the same error popped up. This time I clicked "CANCEL" to debug the program. The error box went away and I was able to open my browser and get here.

    I'm attaching the logs from SUPERAntiSpyware and Malwarebytes Anti-Malware. I'm hoping the error was a leftover glitch from removing infected files that hopefully could be fixed with a new fixME.reg file. Hoping... ;)

    Thank you again for all your help! Crossing my fingers that we are almost done. :)
     

    Attached Files:

    Last edited: Aug 8, 2008
    MercuryGoddess, Aug 8, 2008
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Hard to tell what is causing the error message.....first thing to try is to turn off auto updates.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file --> on your husbands user account.
     
    TimW, Aug 8, 2008
    #8
  9. MercuryGoddess

    MercuryGoddess Private E-2

    Thanks for the quick reply! :)

    I left my computer idol for several hours and when I returned to check back here for a reply, IE went to a "could not load page" error. I ran the system diognostic option on screen. It found an error with the winsock, repaired it, and rebooted. After reboot, I logged back onto my husbands user account and there was no svchost error message this time. I was also able to use IE to get here with no problems.

    I disabled automatic updates like you suggested and then ran MGtools\GetLogs.bat on my husbands user account.

    NOTE: I forgot to mention before.... during the onslot of virus attacks before doing READ & RUN ME, automatic updates was disabled and I was unable to get it turned back on. I think the virus(es) were blocking it. But after following the directions in your messege yesterday at 12:19, I noticed that windows automatic updates was restored and was updating normally again.

    I turned it off to run MGtools... should I turn auto updates back on now? or wait?
    Thanks again!

    Here is the MG log:
     

    Attached Files:

    MercuryGoddess, Aug 8, 2008
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The MGLogs look good....do run CCLeaner to rid the temps.

    I suspect that the error you were getting may have been due to a MS update that was running when you turned off the system.

    Are you having any other issues with any user accounts?

     
    TimW, Aug 8, 2008
    #10
  11. MercuryGoddess

    MercuryGoddess Private E-2

    That is great news!

    I ran CCleaner on both user accounts and I turned Automatic Updates back on. Everything seems to be running great on both accounts! Thank you so much!

    When all of this started, I thought for sure that we were going to have to completely reformat. I'm so glad that didn't have to happen! I hadn't backed up my documents for nearly a year! Sheesh! :eek: That is the first thing I'm going to do when we are finished here.

    Is it time for me to remove some of these tools now and toggle system restore?
     
    MercuryGoddess, Aug 9, 2008
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sweet......If you are not having any other malware problems, it is time to do our final steps:
     
    TimW, Aug 9, 2008
    #12
  13. MercuryGoddess

    MercuryGoddess Private E-2

    OK, all done with the clean-up. Now I'm off to work through the "How to protect yourself from malware!" link.

    Thank you, TimW! I wish I had known about this site before all this happened. I'll definitely be checking back often to make sure I'm keeping my comp's protection up to date!

    I still have a few (pre-malware attack) computer issues but they are software and hardware related so I'll jump over there for help.

    I can't thank you enough! You rock!! :cool

    :wave
     
    MercuryGoddess, Aug 9, 2008
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are very welcome ....safe surfing, and I will try to keep an "eye" on any future threads in software or hardware. :)
     
    TimW, Aug 9, 2008
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds