SystemTool 2011 removed, I think -

p45cal · Jan 17, 2011

I followed as best I could the intructions on the read and run me first post. I had some difficulty to start with as I could only run anything in Safe Mode.
The Java wouldn't uninstall (Install wasn't installed preoperly or access not allowed - I was in ther built-in Admin account in Safe Mode)(I have Java 6 update 11).
SAS was run under Administrator in Safe Mode. I was then able to do the rest in Normal mode (except I had to retrieve the SAS log by going back into Safe Mode).
I found I had to completely uninstall AVG 2011 Free edition because combofix wouldn't run unless that was done, despite my disabling it for 15 mins - combofix still detected it.
I accidentally ran combofix twice because the first time I clicked the wrong button when it reported the recovery console was missing.
MGTools was also run twice because the miscinfo.text was largely empty - though after running the XPHome fix, and running MGTools again it was still the same.

Could someone confirm that all is OK now from the logs please? In this and the next posts' attachments. The computer so far seems to have returned to normal.

regards, p45cal

ps. I can only attach 4 files to a single post so I hope breaking the 'do not bump or add additional posts to your thread' (rule 6) will be acceptable!

p45cal · Jan 17, 2011

Please see attached MGTools log.
p45cal

TimW · Jan 17, 2011

It looks like the scans took care of your malware issue. We just have a few things to clean up.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = euproxy:80 (Note: Remove this only if you did not set it. )
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
Click to expand...

After clicking Fix, exit HJT.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now use windows explorer to find and delete:
C:\Documents and Settings\All Users\Application Data\nFnFm06511

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Help Support MajorGeeks
Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

MajorGeeks on FaceBook

p45cal · Jan 17, 2011

With HJT I fixed both O2s but left the R1 because I think that is a proxy server used by my brother (for it is his computer) to use his company's intranet via the internet (or some such).

I did get a Success message when I ran fixME.reg.

Trying to re-enable disk emulators with defogger resulted in something like 'file coud not be opened', however, since when I first used to disable them it didn't ask me to reboot afterwards, so I'd guess that there weren't any to disable. Here's a file I found on the desktop (defogger_disable) timestamped at around the time I first used Defogger:
Code:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 11:00 on 17/01/2011 (Administrator)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-
HijackThis wasn't to be found in the Add/Remove programs to be removed.

The rest of the steps to step 9 went smoothly.

AVG 2011 Free reinstalled

Will work my way through step 10 tomorrow.

I'm not able to test extensively since my brother isn't around at the moment but I do have a question or two:
At the bottom of the SAS log there's a ref to vlcsetup.exe under Adware.Agent/Gen-Zango. There's a fair bit of other Zango stuff in that log too. Does that imply that it could all have come from installing VLC Media Player several weeks ago (which hasn't been a problem on my computer)?
Also, would it be dangerous for me to run VLC, if the setup file used to install it contains this adware?

All said and done, it's been a slog fixing this computer and I couldn't have done it confidently without help from you and the MajorGeeks site, so a well-deserved thank you from me goes to you and all who put in so much time and effort into maintaining the site and helping others. I'll be going round the many various posts I've been using today to click on the Thanks buttons.

regards, Pascal

TimW · Jan 18, 2011

vlcsetup.exe is a fake adaware file. It doesn't belong with VLC player. You can see the results of it being submitted to VirusTotal HERE.

And you are most welcome. Do let me know if you have any other issues.

Log in or Sign up

SystemTool 2011 removed, I think -

p45cal Private E-2

Attached Files:

SUPERAntiSpyware Scan Log - 01-17-2011 - 12-05-13.log

mbam-log-2011-01-17 (13-13-25).txt

combofix log2.txt

rrlog.txt

p45cal Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

p45cal Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member