Trying to clean up infected computer

Discussion in 'Malware Help (A Specialist Will Reply)' started by airskelcher, Mar 26, 2009.

  1. airskelcher

    airskelcher Private E-2

    Hi

    I have just completed running the READ AND RUN ME FIRST instructions.

    The first problem I had was not being able to show hidden files until I had run the second program, the option was not available.

    The only other problem was not being able to find the Malwarebytes log file and ran the program again, which brought up some things to be deleted again!

    I have attached the 4 log files created and would appreciate if someone could tell me if I have finally got the computer clean?

    I have now spent 3 days trying to clean this computer up and now am fed up with it. Please help.

    Thanks
     

    Attached Files:

    airskelcher, Mar 26, 2009
    #1
  2. airskelcher

    airskelcher Private E-2

    I really could do with some help here. Please?

    I spent 6 hours running the Read and Run First and posted the results yesterday but it seems the computer is still infected and I have not had any reply from anyone on this site?

    Thanks
     
    airskelcher, Mar 27, 2009
    #2
  3. airskelcher

    airskelcher Private E-2

    I think I may have messed up because I was rather preoccupied trying to clean the computer up and didn't read all the sticky posts, including the one that says don't Bump. Now I understand! It wasn't deliberate I didn't mean to bump by starting a new thread I only signed up yesterday and I couldn't post to the original thread at the time!

    Still seem to be infected with Virtumonde and otherthings from a scan I ran overnight with Webroot Antivirus and spysweeper.

    If I just leave the computer alone will it keep getting worse? I can't spend another whole day trying to clean the thing up.

    Sorry and thanks
     
    airskelcher, Mar 27, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O20 - AppInit_DLLs: ljngkv.dll

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


    Now we need to use ComboFix again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner to remove temp files!

    Now download the new version of MGtools and overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 30, 2009
    #4
  5. airskelcher

    airskelcher Private E-2

    Hi

    Thanks for the reply.

    I did the analysis bit with MGTools but could not find the 04 - HKCU entry.

    Have carried on but now ComboFix is not on my machine, is it ok to just download it again and carry on with the instructions given?
     
    airskelcher, Mar 31, 2009
    #5
  6. airskelcher

    airskelcher Private E-2

    Hi

    Have now completed the steps as per your reply and attach the logs as requested. I downloaded ComboFix again as it had disappeared.

    The computer seems to be working faster than it was before and is not blue screening or crashing, the internet connection is no longer causing problems and the settings for Internet Explorer are not being changed, all problems previously, plus there are no messages at boot up saying dlls are missing.

    Please advise if it is now clean.

    Thanks for your help.

    Anne
     
    airskelcher, Apr 2, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have not attached the two logs yet.
     
    chaslang, Apr 2, 2009
    #7
  8. airskelcher

    airskelcher Private E-2

    My apologies. Log files now attached.

    Anne
     

    Attached Files:

    airskelcher, Apr 3, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay there is a strange folder that I had ComboFix list the contents of. Do you know what the below are? Were the dates of these files around the time of your 1st problems?
    Code:
    ---- Directory of c:\windows\system32\.750df4c0f1ad62b6 ----
2009-03-26 06:52 45 -a-- c:\windows\system32\.750df4c0f1ad62b6\750df4c0f1ad62b6.ServerPlugin.config 
2009-03-26 06:52 180 -a-- c:\windows\system32\.750df4c0f1ad62b6\750df4c0f1ad62b6.AT.config 
2009-03-24 22:04 22016 --h- c:\windows\system32\.750df4c0f1ad62b6\750df4c0f1ad62b6.exe
    Also why are the below ports all opened? Are you an online gamer or a torrent or P2P downloader?
     
    chaslang, Apr 6, 2009
    #9
  10. airskelcher

    airskelcher Private E-2

    In answer to you questions, yes we do download stuff from torrent and the problems started around 26th March, maybe earlier I'm not sure. As to why all the ports are open I don't know the answer to that one.

    Is there something I should do to close the ports?
     
    airskelcher, Apr 15, 2009
    #10
  11. airskelcher

    airskelcher Private E-2

    Not sure if this is related to the problems previously but I am constantly getting a message from Webroot antivirus program saying it has quarantined a program:

    Mal/autoInf/A and the file associated with it is c:/autorun.ini or k:/autorun.ini

    How do I stop this?

    Anne
     
    airskelcher, Apr 16, 2009
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes I will give steps below but also consider stopping the use of torrents or any other P2P downloaders which are quite possible the source of your infections and are probably the largest single cause of people coming here with malware problems.




    Now we need to use ComboFix again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now attach the new c:\combofix.txt log.
     
    chaslang, Apr 20, 2009
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run the below:

    Disabling AutoRuns

    Also you need to scan all USB flash drives or other removable devices (even memory cards for digital cameras or MP3 players) for infections. Also any additional PCs these devices were plugged into may be infected.
     
    chaslang, Apr 20, 2009
    #13
  14. airskelcher

    airskelcher Private E-2

    Hi

    Attached is the log from the latest ComboFix run.

    Normally we do not download software, but I made an exception to test something and that is where all our problems have come from.

    Thanks for the help.

    AIR
     

    Attached Files:

    airskelcher, Apr 21, 2009
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Apr 24, 2009
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds