Win Defrag malware -- already did R&R

Discussion in 'Malware Help (A Specialist Will Reply)' started by TracyM, Nov 30, 2010.

  1. TracyM

    TracyM Private E-2

    Hi, there,

    I too have malware that's calling itself Win Defrag. My son was using my work laptop (never again, dude!) and I think he picked it up on a gaming site where he was downloading cheat codes. I'm running Windows 7.

    Attached are my log files from SuperAntispyware, Malwarebytes and MGtools.
    They found some stuff and removed it, but I am still seeing 2-3 screens telling me to defrag, as well as little pop ups in the lower right corner of my screen saying my hard disk can't be found and my RAM is low, etc.

    Any help deeply appreciated, as I am a freelancer and this is my breadwinning computer.

    Love this site, btw. You guys are doing a great job.
     

    Attached Files:

    TracyM, Nov 30, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Why am I not seeing any AV software on this system?

    Let's start with this:

    Download OTM by Old Timer and save it to your Desktop.


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.





    Code:
    :Processes
explorer.exe

:Files
C:\Users\Tracy\Local Settings\TEMP\1595796549
C:\Users\Tracy\Local Settings\TEMP\1595796549.bmp
C:\Users\Tracy\Local Settings\TEMP\1595796549.exe
C:\Users\Tracy\Local Settings\TEMP\dfrg
C:\Users\Tracy\Local Settings\TEMP\dfrgr
C:\Users\Tracy\Local Settings\TEMP\NNDNAnxVXh.dll
C:\Users\Tracy\Local Settings\TEMP\tmpE5DF.tmp.exe
C:\Users\Tracy\Local Settings\TEMP\tmpEDDB.tmp
C:\Users\Tracy\AppData\Local\Msaqofe.bin
C:\Users\Tracy\AppData\Local\Qlofexete.dat
C:\Users\Tracy\AppData\Local\Temp\UNrcJcrVSu.exe
C:\Users\Tracy\AppData\Local\Temp\1595796549.exe

:Reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
:Commands
[purity]
[ResetHosts]
[createrestorepoint]
[clearallrestorepoints] <<< don't use this unless all finished with malware removal
[emptytemp]
[start explorer]
[Reboot]

    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.


    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * OTM log
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Nov 30, 2010
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds