Scans So Far

In my first posting, I stated that I would go back through the "READ & RUN ME FIRST" thread. I have now completed all the scans down to MGTools where I encountered my first issue.

I'm still not sure what to do about MGTools, but I was told the procedure would be to post the logs of what I had so far in this thread. With that said, here are the logs from the scans I did complete:

 

Well, yes I did run it. The application MGTools.exe resides in my root directory...C:\

When I double-clicked on it, it created it's own folder, C:\MGTools.

When I open that folder, I see:

22 DOS Batch files (.bat)
10 Registration Entry files (.reg)
11 Applications files (.exe)
1 Text Document (.txt)
1 Folder named temp (which contains 4 more folders, VSP1, VSP2, XVSP3 & XVSP4)

...and that's all!

As far as Mglogs.zip being located directly in C:\....there is not!

 

OK, here's my log file from running ESET's online scanner:

 

OK, brought up start/run and typed in cmd. From there I switched to the MGtools directory and I entered ShowNew. This initialized the ShowNew.bat file and started the scan. Eventually, notepad popped up during this process with the scan results and finished with the line:

End scan time
It's Sat January 9, 2010 06:01:31 AM
Zipping newfiles.txt

Now, I'm at a loss at how to proceed because the command line cursor is flashing like it's waiting to finish, (even though my hard drive light went out), but there is nothing in front of it, ie: C:\MGtools

I'm not sure if the command line is waiting for me to close out that text file that popped up or what!

The last process that the command line was doing was this:

===========================================

Checking for .COM files to Delete. They will only print if deleted!
Listing DLL, EXE and SYS file in C:\WINDOWS
Locating DLL files in C:\WINDOWS
Locating DLL files in C:\WINDOWS\system32 - recursive
Locating EXE files in C:\WINDOWS
Locating EXE files in C:\WINDOWS\system32 - recursive
Locating SYS files in C:\WINDOWS
Locating SYS files in C:\WINDOWS\system32 - recusive
adding: newfiles.txt <188 bytes security> <deflated 80%>
adding: ffdata.txt <188 bytes security> <deflated 75%>
adding: winfiles.txt <188 bytes security> <deflated 86%>

__ (<--- and this is where the cursor is sitting/flashing)

=================================================

So far, no error messages! So, what do you think?

 

OK...I looked and neither file is present. But, I'm sitting here looking at newfiles.txt on my screen! It's the text file that popped up in notepad during the scan. Maybe if I closed it the scan will finish and post those files to C:\

*update....I went ahead and closed out that text file in notepad and the command line finished...I'm back at the C:\MGtools prompt! Also, I see MGtools.zip is now present in my root directory and newfiles.txt is in that, as well as ffdata.txt and winfiles.txt! I will now finish GetRunKey if you think I should!

 

Please read the *update on my previous post! Tried to beat you back here...

 

OK...all yours! Keep in mind..I still haven't entered GetRunKey into the command line yet!

 

no, I'm my confusion is probably getting you out of order...my apologies! Here's the file you ordered:

 

Thanks for all your time and efforts!

I suppose that could best be answered by looking at my first post. Right now, I'm not sure I'm experiencing any malware issues. But, I still run into the same issue (at times) that I posted about in the first post I mentioned.

Well I'm certainly elated to hear that! Thanks for the good news Doc!

Why yes, they are. Since I keep my desktop icons hidden, I really don't pay much attention to them!

Consider it done!

OK...now I ran into a problem.

First of all, I followed the instructions and started the scan. At some point, the screen went blank and the computer rebooted. When I got logged back into my account, I got a window that popped up that stated:

MIcrosoft Windows
The system has recovered from a serious error.
A log of this error has been created.
For more information about this error, click here.

So, I clicked on it and another window popped up which stated:

Error Signature
BCCode:44 BCP1:867542E8 BCP2:00000D64 BCP3:00000000 BCP4:00000000 OSver:5_1_2600 SP:3_0 Product:768_1
To view technical information about the error report, click here.

So, once again, I clicked on it and it stated:

The following fileswill be included in this error report:
C:\DOCUME~1\Roger\LOCALS~\Temp\WER1f56.dir00\Mini010910-01.dmp
C:\DOCUME~1\Roger\LOCALS~\Temp\WER1f56.dir00\sysdata.xml

In chaslang's instructions, it was mentioned "NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not. So, if you think I should try running it again, but this time in safe mode, then let me know and I''ll try it!

 

Nope, crashed again! Same Windows messages as before.

 

Ok...Sophos completed it scan...

 

It wasn't in the welcome center thread. I started out posting in "Software". but then someone came along and stated that I probably have malware issues and should visit the "READ & RUN ME" post and post my logs in here. I mentioned the issues I was having with MGtools when someone suggested I post in here. So I jumped over here in "Malware" and posted what I had!.

Yes..the user accounts!

Sometimes...when I log-out of my account, I go back to the welcome screen but the user account icons are not showing up, and it's not just me! I've noticed this with the other users as well.

At first, I thought it was just when we clicked on, "Switch User" but, now I've seen it happen if we click "Log Off" as well.

Keep in mind, it doesn't happen all the time...just sometimes!

But, if I have no malware issues anymore, then I suppose I could go back to that "Software" post and continue from there.

 

As requested: ooops...hit the wrong button!

 

Here you go:

 

Kestrel13!, during the holidays, the company I work for gives us time off until after the first of the year. I went back to work this week and I work 4 -10hr days, from 6am-4:30pm, Mon-Thurs.

I tell you that because now that I'm back to work, I haven't had time to follow the final steps yet. I work 1 more day this week, Thursday, then I'm off again until next Tuesday. I just want you to know that I haven't blown-off this "final" process now that I'm satisfied that I don't have any malware's on my computer. I do intend on finishing this process as soon as I can get to it.

I also want to thank you for taking your personal time to walk me through this whole thing, I can't express that enough! I know how hard it is sometimes to assist people with the technical side of their computers, (some don't know their browsers from their operating system). I hope I have been a "good student" for you!

Thanks again and I'll get to this asap!

Linuxpowers....

 

OK, I had an issue with trying to uninstall ComboFix. I ran

from the run menu but it ran the program all over again! So I waited until the pop up log file came up in notepad. I exited the file and noticed my start button, and the entire task bar was missing. The only thing I could do was Ctrl-Alt-Del and restart windows from there.

I'm back on now but not sure what to do ATM! Everything seems to be in place and working.

I was able to complete the cleaning of MGtools per instructions.

 

Mmm...Kestrel13!, I ran the command, but it tells me it can't find it! So, I brought up "My Computer", pointed it towards my desktop and sure enough, it's not there.

Still not satisfied, I did a search for any instance of combofix on drive C:\ and all that came up was,

COMBOFIX.EXE-069CA8AB.pf
COMBOFIX-DOWNLOAD.CFXXE-31D203D3.pf

located in prefetch folder, "c:\windows\prefetch"!

It appears to me that the /u switch did work but that the program needed to run first and then reboot! I didn't notice any uninstall messages when the script ran, but it's not there now! What do you think?

 

Thanks TimW, I'll just continue with the cleanup procedures as outlined then!

 

OK...Here's what I've completed so far:

• Created a new restore point
• Visited Windows update
• Eliminated all diagnostic tools, kept Superantispyware/Malwarebytes for scanning purposes,
• Installed AntiVir Personal Edition
• installed COMODO Firewall (made sure MS Firewall was disabled)
• Kept and ran CCleaner
• Purchased and used DriverScanner 2009 to update drivers
• Adjusted Active X security settings
• Continue to use FF...never used/liked IE!
• Uninstalled Microsoft Java and Replace with Sun Java (during scanning/logging of system for malware)
• Successfully disabled Autorun feature

Have I just about touched all the bases?

 

Great! I also just completed eliminating unneeded services by visiting "Black Viper". I think I screwed it up the first time because when I rebooted and got back into my account, everything took about 60sec to come up! Was finally able to get back on-line and went through it all again....running fine now (cross my fingers)

Also, I visited "PC Flank" to test my firewall settings. Everything showed up "stealth"!

Anything else I need to look at?

 

Alright! :-D

Once again Kestrel13!, I can't thank you enough for helping me on all this, I truly appreciate all you've done!

Now I need to head over to "software" and get some answers on my new firewall! :wave

Thanks,
Linuxpowers