Trouble Getting complete scan

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Chiliyago, Jan 2, 2011.

  1. Chiliyago

    Chiliyago Private E-2

    I am having troubles completing a full scan using Dr. Web because my computer crashes and restarts after it has been running for a while.

    So far I have been able to log into my Win7 box in safe mode without too much problems. in addition I have disabled the MS Security Essensials by executing "NET STOP MsMpSvc" at the command prompt.

    • TDSSKiller.exe has found and removed the TDSS rootkit.
    • The Dr. Web Express scan has run and found nothing.
    • I successfully ran ComboFix and have attached the log for someone's review/opinion.

    I would like to run a complete scan but since my machine reboots in the middle I am not sure what to do next.

    I plan on trying scanning with SuperAntiSpywhere next and hoping it won't crash my box.

    Thanks for the help.
     

    Attached Files:

    Chiliyago, Jan 2, 2011
    #1
  2. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to MajorGeeks


    re:READ & RUN ME FIRST. Malware Removal Guide

    Please complete the above steps and attach all of the requested logs. *DO NOT rerun TDSSKiller and ComboFix -- attach the TDSSKiller.txt log as well.

    dr.m
     
    Last edited: Jan 2, 2011
    dr.moriarty, Jan 2, 2011
    #2
  3. Chiliyago

    Chiliyago Private E-2

    Here is the TDSS log. I am looking for the others
     

    Attached Files:

    Chiliyago, Jan 3, 2011
    #3
  4. Chiliyago

    Chiliyago Private E-2

    This is the SuperAntiSpyware log
     

    Attached Files:

    Chiliyago, Jan 3, 2011
    #4
  5. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Chiliyago

    Please finish running the requested scans and attach these logs to your next reply:
    • MBAM log.txt
    • C:\MGlogs.zip

    Also describe how your machine is currently running.
    dr.m
     
    dr.moriarty, Jan 3, 2011
    #5
  6. Chiliyago

    Chiliyago Private E-2

    Here is the mbam log - nothing found.


    The machine seems running ok when it stays on. The biggest problem after removing the TDSS and quarentining the SQL dll and other coookies has been the sudden shut downs.

    I uninstalled MS Security Essentials so I think that may have contributed to the sudden shut down's while some of these other tools were installed.

    I will try to run the MGTools now.
     

    Attached Files:

    Chiliyago, Jan 3, 2011
    #6
  7. Chiliyago

    Chiliyago Private E-2

    I am unable to run RootRepeal due to the following error.

    FOPS - DeviceIoControl Error! Error Code = 0xc0000024
    Extended Info (0x000000dc)
     
    Chiliyago, Jan 3, 2011
    #7
  8. Chiliyago

    Chiliyago Private E-2

    Ok here are the MGlogs. I think we have everything now. Let me know what's next.
     

    Attached Files:

    Chiliyago, Jan 3, 2011
    #8
  9. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    OK, Chiliyago -

    I can get started, then.
     
    dr.moriarty, Jan 3, 2011
    #9
  10. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    First, please disable Spybot's TeaTimer
    How to disable Spybot's TeaTimer


    Please look in Add/Remove Programs (Programs and Features if using Vista or Windows 7) for the following and uninstall if found. If you get any errors just make a note and continue on.
    Using Windows Explorer - Delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

    Now install the latest Sun Java Runtime Environment


    Let's double-check something, please download MBRCheck to your desktop.
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message.

    Now - re-boot into "Normal Startup Mode" and describe any problems you're still having.
     
    Last edited: Jan 3, 2011
    dr.moriarty, Jan 3, 2011
    #10
  11. Chiliyago

    Chiliyago Private E-2

    Thanks for the help:
    There are two files the won't delete in folder: C:\Users\Administrator\Local Settings\temp both have older dates than today.

    1. qtsingleapp-lwsexe-d03c-2-lockfile
    2. FXSAPIDebugLogFile.txt

    I ran MBRCheck but unable to locate any MBRCheck log file. However, this is the output on the screen:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 7 Ultimate Edition
    Windows Information: (build 7600), 32-bit
    Base Board Manufacturer: ASUSTeK Computer INC.
    BIOS Manufacturer: American Megatrends Inc.
    System Manufacturer: System manufacturer
    System Product Name: P5K Deluxe
    Logical Drives Mask: 0x000013ed

    \\.\C: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive1 at offset 0x0000001f`ff600000 (NTFS)
    \\.\F: --> \\.\PhysicalDrive2 at offset 0x00000000`00100000 (NTFS)
    \\.\G: --> \\.\PhysicalDrive0 at offset 0x00000001`a0b9a400 (NTFS)
    \\.\I: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
    \\.\M: --> \\.\PhysicalDrive3 at offset 0x00000000`00100000 (NTFS)

    Size Device Name MBR Status
    --------------------------------------------
    372 GB \\.\PhysicalDrive1 Windows 7 MBR code detected
    SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
    465 GB \\.\PhysicalDrive2 Windows 2008 MBR code detected
    SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979
    186 GB \\.\PhysicalDrive0 Legit MBR code detected
    SHA1: F75A10171F7488C11BA9A98CEC3D186D7A8D3972
    931 GB \\.\PhysicalDrive3 Windows 7 MBR code detected
    SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


    Done!
    Press ENTER to exit...
     
    Chiliyago, Jan 6, 2011
    #11
  12. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    1 - logitech related
    2 - Windows Fax/Print capability related

    MBRCheck log looks good - what malware issues are you still experiencing?

    dr.m
     
    dr.moriarty, Jan 6, 2011
    #12
  13. Chiliyago

    Chiliyago Private E-2

    No issues at the moment. Thanks Dr. M
     
    Chiliyago, Jan 6, 2011
    #13
  14. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    ;)

    Good! We are ready then, to do our final cleanup steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
    Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif
     
    dr.moriarty, Jan 6, 2011
    #14
  15. Chiliyago

    Chiliyago Private E-2

    One thing I am seeing that is odd.
    When using SuperAntivirus I select "Click Here to Upgrade" and instead of Internet Explorer opening to a web page, MS Word Opens!

    The same thing happens with Malware Bytes when I select purchase.

    Any ideas?
     
    Chiliyago, Jan 7, 2011
    #15
  16. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    dr.moriarty, Jan 8, 2011
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds