Working through R+RMF guide prob with spybot administrator rights

Hi there


I working through the guide to remove malware. I previously installed spybot yesterday before I found this forum. I have installed the teatimer and I cannot get it off. I have followed the MG's instructions and tried to run spybot from the start menu as administrator but it isn't working. Would anyone know how I can bypass this and switch off the teatimer?
Many thanks

Fluff

 

Sorry but I have another problem.

Trying to install MGtools.exe to the C drive but it keeps saying that I do not have administrator authority to save to this drive and I can only save to jduff. I am logged in as administrator. Does anyone have any clues on what I am doing wrong?

Many thanks

 

Hi there

I have now completed what I can. I was receiving TrojanDownloader.xs, antispyware-reviews.biz, abebot threat and wml.exe threats. Slowing my laptop down and I am not sure if they are spying or destroying things. These are all exactly the same format as what everyone else has been receiving (looked at other posts but everyone seems to be slightly different). I am running vista home premium.

I couldn't find quarantine files or a recycle bin in Norton 360. Also, I did not know how to disable Norton before running combofix.

I uninstalled spybot, as I had teatimer installed (did this before I found this forum). When I ran spybot a few days ago, it found 15 tracking cookies.

I had to save MGtools to my desktop, as PC was saying that I didn't have administrators rights, even though I am logged in as adminisatrator.

I have attached superantispyware log, malwarebytes log and MGlogs.zip.

I would be grateful if someone could interpret these and provide some advice. I am not used to doing this type of thing and I apologise if I have missed anything out or done something wrong.

Thanks
Fluff

 

Hi there

Good news is that since I posted my logs yesterday, I haven't had any of the malware pop ups that I have been receiving. Had a couple of problems with what you gave me to work through.

1. I don't know what the dell line is for that was in your last post. Should it be deleted through HJT?

2. Combofix wouldn't run. A blue box with white writing appeared and said "The system cannot ...." this is all that I caught before it disappeared.

3. Sorry but after I deleted the old java and the viewer, I installed the new java. Does this make a mess of things that you are doing?

4. I ran HJT. I checked both lines and deleted them (at the same time). When I went back in to check that they were gone , the 1st line had gone but a noticed a line similar to the 2nd line ie you had eHyLla92u and when I looked after the deletion, there was a line exactly the same but with
eHyLIa92u. The only difference being an l in your line and a capital I in the other line. Does this relate to point 5 below? Have I deleted the wrong line or is this another line which is similar?

5. When I tried to input the input script in Avenger, it came up with the following message:

Error: Invalid Syntax in command

"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ eHyLIaJ92HKEY_LOCAL_MACHNE\Software\Microsoft\Windows\ Current\Version\Policies\ Explorer\Run\eHyLIaJ92u"

Skipping Line (Registry value deletion mode)

6. When I ran superantispyware (whilst following the read me first report) I didn't perform "broken network connection (winsock LSP chain)" as it had XP next to it and I am running vista. Have it interpreted this correct or should I have repaired this?

Look forward to hearing from you and my apologies if I have done something wrong (this is the first time that I have done this - only had laptop 3 months).

Thank you.

Fluff

 

Hi there

I have deleted the dell file.

Avenger didn't work and I have attached the text file.

Temp files deleted.

CCleaner run successfully.

MGTools and avenger logs attached

I had enabled UAC to protect my laptop and I didn't disable it before I ran the MGtools Getlog the 1st time tonight. I disabled it again and when I ran it the 2nd time the following message appeared. Is this related to the message? I have left UAC disabled at the moment while we work on this. Is it safe to do so?

Message when I ran MGTools as follows:-

Cannot export c:\MGTools\temp\xlmsysccsa.txt. Error opening the file. There may be a disk or file system error.


I have not had any of the pop ups for the abebot threat, spyware.biz, etc since I ran the malware removal read me file. My laptop is back to normal speed. Everything appears normal apart from the following:

NB:

However, my desktop changed to a black background after I ran MGtools the first time on 8 April and now I can only change it to solid colours. I can't add any wallpaper or pictures from the control panel. Is this related to this problem?

Also just had a warning from Norton that I need to do a manual fix for tracking cookies but it doesn't tell me what to do. The details that were given are as follows:-

cookie:jduff@server.lon.liveperson.net/hc/7801161
cookie:jduff@server.lon.liveperson.net/

Do I need to do anything about this?

Thank you again for all your help. I will be away now until sunday. I will work through your instructions, if you have got back to me then.

Thanks
Fluff

 

Hi there

I have ran everything that you asked.

I have attached the two reports.

**I received a successful message which said that the keys and values have been successfully added to the registry.**

Everything is running well at the moment with none of the bad pop ups. Only thing that I get is warnings from norton for manual fixes for tracking cookies.

Thank you for your time - I really appreciate it.

Fluff

 

Hi there

1. Have done what you said but I did not do point 9 on your list as I have windows vista not windows XP or XE. Should I be disabling system restore and rebooting??

2. Bit of a panic as I have noticed that some of the files that I thought that were a bit dodgy at the start of the infection are still there (or have reappeared). Could you look at the file names and see if you thing they are dodgy? They were all created on 25/3/08 at 1026am . This is the time when I think this all first happened with the malware appearing after this date.

All created under users/jduff

Desktopblackbird.jpg
DesktopEditorFKWP1.5.exe
DesktopEditorFKWP2.0.exe
Desktopfilemanagerclient.exe
Desktopfkwpl1.5.exe
Desktopfkwpl2.0.exe
Desktopfwebd.exe
DesktopFWebdEditor.exe
DesktopTrojan.Win32.Blackbird.exe

3. Should I hide hidden files again?

4. I can now change my desktop background again. Great

5. Should I delete the following:-
- Superantispyware and malwarebytes? Do I just right click on them in program files to delete them?

6. In program dats, there are the following files:-

- McAffee (think I uninstalled this - can I delete this?)
- Malwarebytes (will this disappear when program deleted?)
- Spybot search and destroy (previously uninstalled - should I delete this?)
- SuperAntispyware.com (will this be deleted when I delete superantispyware?)

7. What is better windows defender or spyware doctor? I will run it along with Norton 360.

Thanks again. You have done a great job. I could never have done this - brilliant.

Fluff

 

Hi there

I am justing giving you an update from work just incase my laptop is having problems tonight. I deleted the dodgy files, ran CC and in the middle of running superantispyware.

However, when I ran SAS the last time, it only ran for 5 1/2 hours. When I left for work this morning it was at 12 1/2 hours. Do you think it is ok? Will see when I go home tonight if it is still running. What is the maximum time I should let it run for?

It has picked up a threat in registry called trojan.DNSchanger-codec. Don't think I had this before.

If SAS is finished when I get home, I'll run the other log and post them for you to look at.

Thanks

Fluff

 

I deleted the dodgy looking files with no probs.

The superantispyware program was still running when I got in from work. I terminated it as it said that it was checking 2 million files on my laptop. I have very little on my laptop I use it mainly for surfing the net. It checked alot less files the last time I ran the scan. It spends alot of time scanning driverstore/filerepository. Not sure if this is relevant and helpful too you.

I have attached the log from SAS that never finished and I have also ran malwarebytes and have attached the log.

I right clicked the registry patch (fixme.reg) that you got me to do previously and deleted it. It has not deleted though - should I try again.

Hopefully thinks aren't as bad as what they look.

ps Just looked and seen that my windows firewall is on and I think that I will also have a firewall with Norton 360. Should I disable the window firewall? And how should I do it?

 

Just logged in at work and noticed that the logs didn't attach. Was having difficulty last night getting them to attach and when I tried to reattach it said that it was in the process of attaching. I will re-attach tonight.

SAS found a trojan.DNSchanger-codec - I haven't been able to do the full scan and therefore haven't deleted it yet.

My laptop was supplied with McAfee originally preloaded. I thought that windows firewall would have been disconnected before I got it, but it wasn't. I have now disabled windows and kept the norton firewall.

Cheers
Fluff

 

Hope logs attach now.

Fluff

 

HI

I have ran superantispyware in safe mode and attached the log.

I ran malbytes and attached log.

I managed to delete the fixreg file.

I then ran ccleaner after deleting the file.

Had a look in:-

Jduff/roaming/microsoft/cookies/low/index.dat
Jduff/roaming/microsoft/cookies/index.dat
Jduff/roaming/microsoft/cookies/jduff@quantserve[2].txt

Are the above ok? Getting a bit paranoid now about anything unusual.

Can I install firefox just now or should I wait until you have finished? I am having to use internet explorer at the moment and thought it might help.


Look forward to hearing from you.

Fluff

 

I have uninstalled SAS and malabytes. Have installed firefox.

Last question - going back to point 9 above, should I be creating a restore point and how should I do it on vista?

Also, should I be doing a backup of my registry and how do I do it?

Thank you very much again for all your help. You do a great job and I really appreciate it. Has opened my eyes and I am already making the changes to protect my laptop,
Fluff