spyware tools not working

Discussion in 'Malware Help (A Specialist Will Reply)' started by msich, Aug 29, 2009.

  1. msich

    msich Private E-2

    Hello,

    I am having major problems since earlier today. It started with popup windows saying i was infected, and me being unable to run malwarebytes and sas.. now if i'm not in safe mode, my background is changed to a warning screen and some bogus anti-virus, called security center (i think), starts running. In safe mode i can only run MGtools and i'm not even sure its the most updated edition, i tried dl'ing updates but not sure if they are installing. So attached is the log from MGtools.

    Thank you so much for any help you are able to provide.
     

    Attached Files:

    msich, Aug 29, 2009
    #1
  2. msich

    msich Private E-2

    A quick update. I was able to use root repeal to erase the UAC files, after which i was able to run malwarebytes in safe mode, then SAS and combofix in regular mode, now everything seems to be running fine, therefore will not waste your time with my log files(unless you think i should post them.)
    This site was a great resource and i would be looking at installing my 2nd hardrive at this point if not for your help.
     
    msich, Sep 1, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    None of those are absolute. I would like to see the logs to be sure that all traces are gone.

    So please attach the logs that you have for:
    SAS
    MBAM
    ComboFix
    Rootrepeal
    and a new MGLogs.zip from double clicking the C:\MGtools\GetLogs.bat file.
     
    TimW, Sep 5, 2009
    #3
  4. msich

    msich Private E-2

    thank you for the response, I appreciate you for taking the time to check these logs out again. Actually things have been running ok since i last cleaned things up.
     

    Attached Files:

    msich, Sep 8, 2009
    #4
  5. msich

    msich Private E-2

    and the final log....


    thanks again!
     

    Attached Files:

    msich, Sep 8, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Although you removed most of it, it also removed some of your system files.

    First, use windows explorer to find and delete:
    C:\WINDOWS\system32\zohodemu

    Now download the latest version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Now download and save this XPsp3bu.exe to your C:\ root folder. You must do this properly. Now run the XPsp2bu.exe program by double clicking on it. You may or may not notice a quick flash of a black window. This is normal. The program runs quickly and just extracts some files we need.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

FCopy::
C:\MGtools\temp\beep.sysmg|C:\WINDOWS\system32\dllcache\beep.sys
C:\MGtools\temp\beep.sysmg|C:\WINDOWS\system32\dllcache\cache\beep.sys
C:\MGtools\temp\beep.sysmg|C:\WINDOWS\beep.sys
C:\MGtools\temp\beep.sysmg|C:\WINDOWS\system32\beep.sys
C:\MGtools\temp\eventlog.dllmg|C:\WINDOWS\system32\eventlog.dll
C:\MGtools\temp\eventlog.dllmg|C:\WINDOWS\system32\dllcache\eventlog.dll
C:\MGtools\temp\eventlog.dllmg|C:\WINDOWS\system32\dllcache\cache\eventlog.dll
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools.exe file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Sep 13, 2009
    #6
  7. msich

    msich Private E-2

    thanks greatly for your help.
    So i found and deleted: C:\WINDOWS\system32\zohodemu
    i redownloaded mgtools
    I downloaded and ran: XPsp2bu.exe
    I tried to run combofix by dragging the text below onto it. it started ok but then i ran into a problem, i tried running it twice but both times it would stop at stage 50 then the computer would restart with no log.
    so i ran mgtools
    that log is attached.

    thanks again.
     

    Attached Files:

    msich, Sep 13, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now we need to do just one more thing.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\WINDOWS\system32\dllcache\cache\beep.sys
C:\WINDOWS\beep.sys
C:\WINDOWS\system32\beep.sys
C:\WINDOWS\system32\dllcache\eventlog.dll
C:\WINDOWS\system32\dllcache\cache\eventlog.dll

Folder::
C:\WINDOWS\system32\dllcache\cache

FCopy::
C:\MGtools\temp\beepssysmg|[B]C:\WINDOWS\system32\drivers\beep.sys[/B]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Please attach the new combo log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Then we will give you the final cleanup.
     
    Last edited: Sep 19, 2009
    TimW, Sep 19, 2009
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds