Removal Results

aburn55 · Mar 2, 2011

Hello,

I had been having random issues for several months, however nothing consistant, and my MAM software was not picking up any issues during a scan. Recently syptoms have become progressively more prevelent and consistant. Started with internet running slow. Weird emails which I would not open were also appearing in my outlook inbox for pharmaceuticals, or just a few random letters in the alphabet. Then certain websites such as facebook and yahoo would not load properly i.e. pictures etc. As of monday I was not able to connect to the internet at all. "Error finding the server." Connection, however, was showing as "connected status" at 100Mbps.

I found your forum and went through each step provided. Inorder to download the scans, due to know internet access on infected computer, I saved each scan on a disk, on my clean computer, then uploaded and ran on my infected computer. Most scans seems to perform correctly, with the exception of the following 3 things:

Defogger - unable create log....I believe this was because I couldn't access internet!?!?
Root Repeal - Error - Invalid PE image found
both seemed to run correctly after messages.
Lastly, after I ran root repeal, and thought I would try to restart my modem and router, as I could not perform the MGtools through my D: disk - said "failed to ensure dir exists: /MGtools.
After reconnecting the internet, I had a successful connection, was able to download and run MGtools correctly!!!!

At this moment everything seems to be running ok. I have not restarted since successful completion of the steps, just in case anything goes wrong, I want to be able to successfully post my results and ensure I am back in the saddle. Thank you for your forum, and thank you for you help!!! Truely wonderful!!!

See below attachment results:

aburn55 · Mar 2, 2011

the MGtools results attachment......

look forward to hearing back and thank you again for any advise/insight!!!

dr.moriarty · Mar 2, 2011

Welcome to MajorGeeks!

I am currently reviewing your logs and will get back to you with instructions as needed.

*Our queue is working the oldest threads first.

dr.m

dr.moriarty · Mar 3, 2011

Hello, aburn55

I have some questions:
Why don't I see any anti-virus program installed?
Do you know what these are?

C:\Documents and Settings\Administrator\Templates\4133161817
C:\Documents and Settings\Administrator\Templates\4jQKt4bcyWk7v
Click to expand...

...and comments:
*You should increase your installed RAM to a minimum of 1GB for running XP SP3 without experiencing system lags.

Total Physical Memory -------- 512.00 MB
Available Physical Memory ---- 184.00 MB
Click to expand...

*Consider updating your outdated Mozilla Firefox (3.5.16) to Mozilla Firefox 3 3.6.14 Final
*Your Malwarebytes' database is 3 months old. Open Malwarebytes', click on the "Update" tab and "Check for updates". Once updated, run a new "Quick scan" - attach that new log to your next reply.

Now, just a few minor things to fix:

Step 1:
*Other than the tools our guide instructed you to save there, I strongly recommend that you clean up this account's Desktop immediately leaving only shortcut links. [ C:\Documents and Settings\Administrator\Desktop ] Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least - it can have an effect on your PCs performance.

Step 2:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
Click to expand...

After clicking Fix, exit HJT.

Step 3:
Now we need to use ComboFix.

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Make sure you have shut down all protection software (antivirus, antispyware, firewall...etc) programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.

If ComboFix tells you it needs to update to a new version, make sure you allow it to update.

Open Notepad and copy/paste the text inside of the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

KILLALL::

File::
C:\Temp\DBI02152
C:\Temp\lbi02152
C:\Temp\srt02152

Folder::
C:\Documents and Settings\All Users\Application Data\McAfee

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
Click to expand...

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 4:
Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

Step 5:
Now install the latest Sun Java Runtime Environment

Step 6:
Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

Please attach the below logs to your next reply:

C:\MGlogs.zip

updated mbam-log.txt

* Make sure you tell me if you had any problems running this procedure; and answer this - "What malware problems are you still experiencing?"

dr.m

Log in or Sign up

Removal Results

aburn55 Private E-2

Attached Files:

saslog.txt

mbam-log-2011-03-01 (16-31-21).txt

ComboFix.txt

rrreport.txt

aburn55 Private E-2

Attached Files:

MGlogs.zip

dr.moriarty Malware Super Sleuth Staff Member

dr.moriarty Malware Super Sleuth Staff Member