Completed 8-step removal, am I clean?

Status
Not open for further replies.
T

tester89

Posts: 16   +0
I think my laptop is clean the pop ups are gone, completed the 8-step virus removal instructions (very helpful) couldn't install java though (send error report message). Would like to know if there is more cleaning needed or if the system clean. I will leave my logs, and i would be grateful if anyone could help me! it would be greatly appreciated.

Thanks to kimsland for helping me last time!
 
Open HJT, tick and fix the following:
O4 - HKUS\S-1-5-19\..\Run: [loyefigisi] Rundll32.exe "C:\WINDOWS\system32\fulemege.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [loyefigisi] Rundll32.exe "C:\WINDOWS\system32\fulemege.dll",s (User 'NETWORK SERVICE')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: c:\windows\system32\halulula.dll
Click to expand...
Think highly about removing DAEMON Tools, seen too many issues with this program

After restart do another full updated scan with Malwarebytes again (it will definitely find more, which you need to remove)

Oh, and install an Antivirus, I'd highly recommend Avira Then do a full scan with it

It was pretty bad you know!
 
Rootkit, Vundo, BackdorBot, Trojans, and other malware assortments!

You have no security on the system. To try and clean and send you out on the internet is useless unless you get some prote4ction.!

The Vundo malware is in the System Restore points. They are protected files and the cleaning programs do no remove them. Do NOT use System Restore. We'll have you remove the old points when cleaning is complete.

Please do Step 1 and Step 2 here ASAP: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
You must have skipped these.
 
To Kimsland
1. Opened HJT tick the ones above and fixed.
2. Restarted and ran malwarebytes' scaned and removed.
3. When i try to remove daemon tools i get an error message 'setup is unable to validate installation'.
4. Ran scan with Avira and quarantined.

To Bobbye
1. I had McAfee but removed it because of the interference i was intending to re-install after i was clean.
2. I completed steps one and two again.

Now Avira keeps popin up with an attention message for C:\WINDOWS\system32\oedes.dll and gives me the options to quarantine, delete, rename, deny access, ignore. But i've choose delete, move to quarantine and deny access but it keeps popin up.

Any help will be greatly appreciated.
 
1. I had McAfee but removed it because of the interference i was intending to re-install after i was clean.
Click to expand...
Now Avira keeps popin up
Click to expand...
We can only go by what we see and I don't see any security running on the logs you left.

oedes.dll
Type: Winlogon Notify
Name: oedes
Filename: %SYSDIR%\oedes.dll
Description: Backdoor:Win32/Haxdoor
O20 List> AppInit_DLLs & Winlogon Notify
Click to expand...

Did you remove this entry per kimsland?
O20 - AppInit_DLLs: c:\windows\system32\halulula.dll
I can't identify this process and it may be a part of Haxdoor.

Please run Malwarebytes again as kimsland stated, follow by new scan with HijackThis. Attach both logs for review.
 
Requires a reboot to finish.

After a reboot.

The Malware is like an Onion has layers and when you peel off one layer the other is exposed.

Just because it found and fixed something does not mean it can not find more with a fresh look with the removed stuff gone from the last run.

On a bad case like yours usually at least 2 runs each with mbam and sas will do it. But after they are clean sometimes it takes other tools to finish up.

Our goal is a clean log or something that comes up twice an indication that it can not be cleaned.

It is time consuming but necessary until a better way is found. Try to schedule when not using the computer like sleeping or at work.

Then update mbam and sas and run both again.

Update both mbam and sas every time before running.

Mike
 
Excuse me Mike, his is not a question of running and rerunning Malwarebytes. He has a Rootkit infection. I am gathering the direction for that now. In the meantime, please refrain from giving instructions.
 
thanks for the replies, run malwarebytes and super anti-spy many times now and they keep finding infections and asking me to reboot. I reboot then run the malware and super anti-spy and they find infections again and ask me to reboot.
 
Tester if it is coming up with exactly the same then show us the last logs for MBAM and SAS.

If it finds new and some of the same then that don't count. These things come off in layers if it is removing anything else but leaving some from before that it could not clean then it is still removing layers. Get the final layer and all may go.

I have not seen an exact duplicate log yet but it sounds as tho you have some you did not post. I would like to see the last logs.

Bobbye don't ask me to refrian from posting in a thread you are involved in unless you are going to do the same in my threads!

He needs to remove all but the final item with MBAM and SAS, then go after RootKit.

My recommendation/suggestion (not orders or demand) to him stand stands, won't hurt will only help. That is as long as it is removing anything else unique! It is up to him if or not he takes my suggestion!

Mike
 
Tester

I also recommend the below!

D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.

Please make a note of what it found if any as it has no log.

Then:
ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.
Note: Do not click combofix's window while its running. That may cause it to stall.

Mike
 
Nope notice the times. Now that does show an exact duplicate.

First log
07/12/2008 18:34:12
mbam-log-2008-12-07 (18-34-12).txt
----------------------------------------------------------------------------------------------------------------------------------------------------
Second log

07/12/2008 21:17:16
mbam-log-2008-12-07 (21-17-16).txt

So if you want your choice do my last post!

Mike
 
mike i've followed your instructions, i ran Xclean and removed a system restore point.
Ran combofix and it said i had no windows restore console, so i choose yes and it installed it for me. It rebooted the computer.

Started up again and the log in system has changed from auto login after the welcome screen to welcome screen where i need to select the user to log on. So i choose mine and a black screen comes up with the mouse visable and thats the way it stays.
*posting from another computer*

Help please anyone!
 
Power off.

Then on startup hit F8 to boot into Safe Mode networking.

If you get to desktop OK then run combofix again.

Mike

EDIT: You said XClean deleted a restore point? And no mention of Malware?
 
And you're showing yet another entry in 020:
O20 - AppInit_DLLs: C:\WINDOWS\system32\bozakupe.dll C:\WINDOWS\system32\hodobaja.dll

So all we're doing is substituting one malware process for another, rather than finding it's cause. You're using Autoruns to control the Startup, but malware is in ne of the staartups. We can keep deleting the dll file that comes up in the 020 entry, but sof ar, there have been 3 different ones. We need to find the cause.

That looks like the core rootkit , it could be being reinstalled by another infection that we are missing . The Rookit is changing one of the Autoruns, which is why you get a different 020 entry each time one is removed.

Please Download , unzip and run GMER :
http://www.gmer.net/files.php

Do NOT click scan . GMER does an automatic quick scan when run . Click the copy button on the right side of GMER and then paste into your next post .

If you encounter an error, we'll run RootRepeal next. Until and unless the Rootkit is removed, we can't clean the system.

Mike, FYI: this isn't your thread or mine. It belongs to the person with the problem. Help should address that problem. If I make any replies on a thread you are working on, it's because I think another direction needs to be taken, or something was missed that needs to be addressed.
 
done that mike and i still can't log in. It gives me the option to sign into mine 'Marvin' and Administrator, i've click 'Marvin' it tries to log in but brings me back to log in screen. So i click administrator and it does the same. Bottom line i can't log in.

Any help will be greatly appreciated!

mflynn said:
EDIT: You said XClean deleted a restore point? And no mention of Malware?
Click to expand...

Yeh, it said 'this restore point infected', delete and some other options.
 
OK we can fix it don't panic.

With all you had and still have it could have happened at any time.

Do you have a Windows setup disk?

Boot back to Advance Boot Menu where you found Safe Mode and chose Last known good configuration.

Mike
 
OK good!

Glad it is SP3!

Ok we are going to do a repair/overlay install. Reinstalls Windows but keeps your data, programs email etc.

Boot from the CD, Windows setup will start and offer "R" to Repair using Recovery Console this is not what you want so continue. Windows will then announce that it has found and existing Windows installation and offer "R" to repair the existing installation. This is what you want so chose R. From there on it looks like a normal Windows install.

A couple links for perspective.

A link to follow: https://www.techspot.com/vb/topic8356.html

Another one for insight: http://pcsupport.about.com/od/operatingsystems/ss/instxprepair1.htm

This should get you back up and repair by overwriting some malware that is in the windows system folders, but not all.

Mike
 
I can't find the option to repair the existing installation. I get to the recovery console page so i press enter to continue the windows install, it shows me hardrives but the options are Set up on seleted item press Enter, to create partition press C, delete the partition press D.
 
All programs will start and run. This is not a reinstall of windows.

It is called a repair or ovelay install as I said in my last post!
Reinstalls Windows but keeps your data, programs email etc.
Click to expand...

But you must do it correctly as directed and chose R to Repair Existing Windows Installation!.

Mike
 
I can't find the option to repair the existing installation. I get to the recovery console page so i press enter to continue the windows install, it shows me hardrives but the options are Set up on seleted item press Enter, to create partition press C, delete the partition press D.
*sorry for double post*
 
Status
Not open for further replies.

Similar threads

N
OpenAI fires CEO Sam Altman, other senior figures quit in response (Updated)
Replies
18
Views
569
sorten
S
Scorpus
Nvidia app launches in beta: Nvidia's new GPU control panel is much faster, no log in...
2
Replies
28
Views
614
RaXelliX
R
Cal Jeffrey
Developer gets disqualified from Small Business Program after Apple couldn't answer his...
Replies
13
Views
2K
Cal Jeffrey
Cal Jeffrey

Latest posts

Back