Slammed with a lot of stuff - is it gone?

I followed the removal procedures and am posting all the logs to make sure that I am finished. All I know is I left my computer, my son went on to play some online games and he said the computer kept "freezing", so he shut it down. When I restarted, my desktop was gone, there were some anti-spyware icons on my desktop that wouldn't go away and I kept getting these popup messages about cleaning an infected computer. My wireless network was also down. Now everything seems good after cleaning, but I just want to make sure.

Thanks!

TinaS

 

Here is my MBAM log - when I went back in to get the log, it gave me an error, so I uninstalled it, reinstalled it and ran it a second time. Here are both logs.

Thanks!

Tina S.

 

Hi TinaS,
Welcome to the Malware Forum!

The scans removed a lot of malware, but there is still quite a bit left. Please use your computer sparingly until we can post a set of instructions to you. This can take some time, so thanks for being patient.

abri

 

Not a problem...I appreciate all the help I can get!

I'll keep checking back throughout the day. I can stay off the computer for a while! :cry

Tina S.

 

Hi TinaS,

What is in the following folder? (You can look in the folder, but do not open any files if you don't know what they are.)

C:\DNHosts

Please continue with the following:

1) Disable your guest account if this hasn't already been done.

2) Install the current version of Sun Java from: Sun Java Runtime Environment

3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O21 - SSODL: wetkadmr - {6EA4F18E-4FFC-4B5F-9194-CCF4CCCA6CD5} - C:\WINDOWS\wetkadmr.dll (file missing)
O21 - SSODL: tdomgafw - {232DB35C-5CBE-401A-8C53-76D58B256977} - C:\WINDOWS\tdomgafw.dll (file missing)


Do you know what the following is? If not, please fix it as well.


O24 - Desktop Component 0: (no name) -
hxxp://www.finishline.com/store/images/products/xl160985brg.jpg

After you click fix, just close hijackthis.


5) Download and install Erunt. Use it to create a backup of your registry.

6) Note: There's an entry in the following registry patch for SimpleTimeBar for which there's no information in the internet, which makes me think it's malware. If you happen to recognize it and want to keep it, then please remove it after you copy and paste the contents of the box below into Notepad.

Now please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

7) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

8) Now run CCleaner at the default setting with the Windows tab as the top one.

9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi Abri,

The folder you asked about is part of my software for my job - I work at home as a medical transcriptionist. It has my account information in it.

1. My guest account was disabled already.
2. Sun Java Runtime was downloaded successfully.
3. Windows Messenger was removed.
4. I attached the logs.

Things are running...I just wanted to be sure there wasn't anything nasty lurking around still.

Thank you very, very much!

 

Hi TinaS,

Your logs are clean now. Please run the final cleanup instructions which will take all the tools and logs off of your computer that we had you install. You'll also be setting a new restore point and wiping all the previous ones, so you'll have a known clean one to come back to. Then I would encourage you to read through the How to protect yourself from malware, as it's an easy read and it contains the recommendations of this site as to which combination of programs will give you the best protection.

abri

 

Thank you very much. I've followed all the instructions to the last letter and everything looks really good. I've also gone to the link you gave and downloaded a firewall, antivirus and malware blocker. Thanks so much for all the help!!

Tina S.

 

You're welcome!
Happy surfing!