Recovering from an infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by konoha21, Apr 21, 2009.

  1. konoha21

    konoha21 Private E-2

    Hi,

    My nephew visited this weekend and infected my desktop even though he was logged in under a limited user account. I guess that doesn't mean much since the computer was still able to be infected even with zonealarm active. I usually run a malwarebytes and superantispyware scan each week so I believe I've cleaned most of the infection up. The computer now runs much better than it was a few days ago but it has frozen up a couple times even though I'm hardly running any programs so I just want to make sure there are no other issues. Your assistance is much appreciated. Thanks!
     

    Attached Files:

    konoha21, Apr 21, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not much to do ....

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now use windows explorer to find and delete:
    c:\documents and settings\All Users\Application Data\dihizama
    c:\documents and settings\All Users\Application Data\jikuwako
    c:\documents and settings\All Users\Application Data\gobejoru
    c:\documents and settings\All Users\Application Data\debunolo

    Tell me what issues you still have.
     
    TimW, Apr 25, 2009
    #2
  3. konoha21

    konoha21 Private E-2

    Hi Tim,

    Thanks for reviewing my logs. I used Hijack This to remove that anonymous toolbar and I deleted the folders and files you indicated. The only issue I'm seeing now is that the computer froze up again when I tried to enable system restore after disabling it. I would only be able to re-enable system restore after unplugging the computer. It's happened three times now since the computer's been infected, twice after I used malwarebytes to remove the infection and just now. It was never a problem before the infection. I'm concerned the infection altered the registry somehow.
     
    konoha21, Apr 27, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Use windows explorer to find and delete:
    c:\program files\x73_lut.dat

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip
     
    TimW, Apr 30, 2009
    #4
  5. konoha21

    konoha21 Private E-2

    Thanks again for your help, Tim. Here is the MGTools file. Zonealarm found another infection during a scan yesterday with file: e.exe. I had zonealarm quarantine it and delete it. I also deleted the file you indicated as well. I toggled system restore again but the computer froze on the re-enabling part. After unplugging it, I was able to enable system restore. Any assistance you provide is much appreciated. Thanks.
     

    Attached Files:

    konoha21, May 1, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, May 4, 2009
    #6
  7. konoha21

    konoha21 Private E-2

    Everything seems to be okay. Thanks for all of your help, Tim. Cheers!
     
    konoha21, May 4, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome....go forth and surf. :)
     
    TimW, May 8, 2009
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds