TechSpot

Completed 8-step removal, am I clean?

By tester89
Dec 6, 2008
  1. I think my laptop is clean the pop ups are gone, completed the 8-step virus removal instructions (very helpful) couldn't install java though (send error report message). Would like to know if there is more cleaning needed or if the system clean. I will leave my logs, and i would be grateful if anyone could help me! it would be greatly appreciated.

    Thanks to kimsland for helping me last time!
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Open HJT, tick and fix the following:
    Think highly about removing DAEMON Tools, seen too many issues with this program

    After restart do another full updated scan with Malwarebytes again (it will definitely find more, which you need to remove)

    Oh, and install an Antivirus, I'd highly recommend Avira Then do a full scan with it

    It was pretty bad you know!
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Rootkit, Vundo, BackdorBot, Trojans, and other malware assortments!

    You have no security on the system. To try and clean and send you out on the internet is useless unless you get some prote4ction.!

    The Vundo malware is in the System Restore points. They are protected files and the cleaning programs do no remove them. Do NOT use System Restore. We'll have you remove the old points when cleaning is complete.

    Please do Step 1 and Step 2 here ASAP: http://www.techspot.com/vb/topic58138.html
    You must have skipped these.
     
  4. tester89

    tester89 TS Rookie Topic Starter Posts: 16

    To Kimsland
    1. Opened HJT tick the ones above and fixed.
    2. Restarted and ran malwarebytes' scaned and removed.
    3. When i try to remove daemon tools i get an error message 'setup is unable to validate installation'.
    4. Ran scan with Avira and quarantined.

    To Bobbye
    1. I had McAfee but removed it because of the interference i was intending to re-install after i was clean.
    2. I completed steps one and two again.

    Now Avira keeps popin up with an attention message for C:\WINDOWS\system32\oedes.dll and gives me the options to quarantine, delete, rename, deny access, ignore. But i've choose delete, move to quarantine and deny access but it keeps popin up.

    Any help will be greatly appreciated.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We can only go by what we see and I don't see any security running on the logs you left.

    oedes.dll
    Did you remove this entry per kimsland?
    O20 - AppInit_DLLs: c:\windows\system32\halulula.dll
    I can't identify this process and it may be a part of Haxdoor.

    Please run Malwarebytes again as kimsland stated, follow by new scan with HijackThis. Attach both logs for review.
     
  6. tester89

    tester89 TS Rookie Topic Starter Posts: 16

    Thanks for the rapid response, heres the logs
     
  7. mflynn

    mflynn TS Rookie Posts: 2,655

    Requires a reboot to finish.

    After a reboot.

    The Malware is like an Onion has layers and when you peel off one layer the other is exposed.

    Just because it found and fixed something does not mean it can not find more with a fresh look with the removed stuff gone from the last run.

    On a bad case like yours usually at least 2 runs each with mbam and sas will do it. But after they are clean sometimes it takes other tools to finish up.

    Our goal is a clean log or something that comes up twice an indication that it can not be cleaned.

    It is time consuming but necessary until a better way is found. Try to schedule when not using the computer like sleeping or at work.

    Then update mbam and sas and run both again.

    Update both mbam and sas every time before running.

    Mike
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Excuse me Mike, his is not a question of running and rerunning Malwarebytes. He has a Rootkit infection. I am gathering the direction for that now. In the meantime, please refrain from giving instructions.
     
  9. tester89

    tester89 TS Rookie Topic Starter Posts: 16

    thanks for the replies, run malwarebytes and super anti-spy many times now and they keep finding infections and asking me to reboot. I reboot then run the malware and super anti-spy and they find infections again and ask me to reboot.
     
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    Tester if it is coming up with exactly the same then show us the last logs for MBAM and SAS.

    If it finds new and some of the same then that don't count. These things come off in layers if it is removing anything else but leaving some from before that it could not clean then it is still removing layers. Get the final layer and all may go.

    I have not seen an exact duplicate log yet but it sounds as tho you have some you did not post. I would like to see the last logs.

    Bobbye don't ask me to refrian from posting in a thread you are involved in unless you are going to do the same in my threads!

    He needs to remove all but the final item with MBAM and SAS, then go after RootKit.

    My recommendation/suggestion (not orders or demand) to him stand stands, won't hurt will only help. That is as long as it is removing anything else unique! It is up to him if or not he takes my suggestion!

    Mike
     
  11. mflynn

    mflynn TS Rookie Posts: 2,655

    Tester

    I also recommend the below!

    D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
    No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

    Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.

    Please make a note of what it found if any as it has no log.

    Then:
    ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.
    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
     
  12. tester89

    tester89 TS Rookie Topic Starter Posts: 16

    Here latest logs

    *posted this before your last post*
     
  13. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  14. mflynn

    mflynn TS Rookie Posts: 2,655

    Nope notice the times. Now that does show an exact duplicate.

    First log
    07/12/2008 18:34:12
    mbam-log-2008-12-07 (18-34-12).txt
    ----------------------------------------------------------------------------------------------------------------------------------------------------
    Second log

    07/12/2008 21:17:16
    mbam-log-2008-12-07 (21-17-16).txt

    So if you want your choice do my last post!

    Mike
     
  15. tester89

    tester89 TS Rookie Topic Starter Posts: 16

    mike i've followed your instructions, i ran Xclean and removed a system restore point.
    Ran combofix and it said i had no windows restore console, so i choose yes and it installed it for me. It rebooted the computer.

    Started up again and the log in system has changed from auto login after the welcome screen to welcome screen where i need to select the user to log on. So i choose mine and a black screen comes up with the mouse visable and thats the way it stays.
    *posting from another computer*

    Help please anyone!
     
  16. mflynn

    mflynn TS Rookie Posts: 2,655

    Power off.

    Then on startup hit F8 to boot into Safe Mode networking.

    If you get to desktop OK then run combofix again.

    Mike

    EDIT: You said XClean deleted a restore point? And no mention of Malware?
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    And you're showing yet another entry in 020:
    O20 - AppInit_DLLs: C:\WINDOWS\system32\bozakupe.dll C:\WINDOWS\system32\hodobaja.dll

    So all we're doing is substituting one malware process for another, rather than finding it's cause. You're using Autoruns to control the Startup, but malware is in ne of the staartups. We can keep deleting the dll file that comes up in the 020 entry, but sof ar, there have been 3 different ones. We need to find the cause.

    That looks like the core rootkit , it could be being reinstalled by another infection that we are missing . The Rookit is changing one of the Autoruns, which is why you get a different 020 entry each time one is removed.

    Please Download , unzip and run GMER :
    http://www.gmer.net/files.php

    Do NOT click scan . GMER does an automatic quick scan when run . Click the copy button on the right side of GMER and then paste into your next post .

    If you encounter an error, we'll run RootRepeal next. Until and unless the Rootkit is removed, we can't clean the system.

    Mike, FYI: this isn't your thread or mine. It belongs to the person with the problem. Help should address that problem. If I make any replies on a thread you are working on, it's because I think another direction needs to be taken, or something was missed that needs to be addressed.
     
  18. tester89

    tester89 TS Rookie Topic Starter Posts: 16

    done that mike and i still can't log in. It gives me the option to sign into mine 'Marvin' and Administrator, i've click 'Marvin' it tries to log in but brings me back to log in screen. So i click administrator and it does the same. Bottom line i can't log in.

    Any help will be greatly appreciated!

    Yeh, it said 'this restore point infected', delete and some other options.
     
  19. mflynn

    mflynn TS Rookie Posts: 2,655

    OK we can fix it don't panic.

    With all you had and still have it could have happened at any time.

    Do you have a Windows setup disk?

    Boot back to Advance Boot Menu where you found Safe Mode and chose Last known good configuration.

    Mike
     
  20. tester89

    tester89 TS Rookie Topic Starter Posts: 16

    1. Yes i have a windows setup disc but its new SP3
    2. I done last known good config (same thing)
     
  21. mflynn

    mflynn TS Rookie Posts: 2,655

    OK good!

    Glad it is SP3!

    Ok we are going to do a repair/overlay install. Reinstalls Windows but keeps your data, programs email etc.

    Boot from the CD, Windows setup will start and offer "R" to Repair using Recovery Console this is not what you want so continue. Windows will then announce that it has found and existing Windows installation and offer "R" to repair the existing installation. This is what you want so chose R. From there on it looks like a normal Windows install.

    A couple links for perspective.

    A link to follow: http://www.techspot.com/vb/topic8356.html

    Another one for insight: http://pcsupport.about.com/od/operatingsystems/ss/instxprepair1.htm

    This should get you back up and repair by overwriting some malware that is in the windows system folders, but not all.

    Mike
     
  22. tester89

    tester89 TS Rookie Topic Starter Posts: 16

    Will the programs still start or will they need re-installs?
     
  23. tester89

    tester89 TS Rookie Topic Starter Posts: 16

    I can't find the option to repair the existing installation. I get to the recovery console page so i press enter to continue the windows install, it shows me hardrives but the options are Set up on seleted item press Enter, to create partition press C, delete the partition press D.
     
  24. mflynn

    mflynn TS Rookie Posts: 2,655

    All programs will start and run. This is not a reinstall of windows.

    It is called a repair or ovelay install as I said in my last post!
    But you must do it correctly as directed and chose R to Repair Existing Windows Installation!.

    Mike
     
  25. tester89

    tester89 TS Rookie Topic Starter Posts: 16

    I can't find the option to repair the existing installation. I get to the recovery console page so i press enter to continue the windows install, it shows me hardrives but the options are Set up on seleted item press Enter, to create partition press C, delete the partition press D.
    *sorry for double post*
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...