Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

need help with malware removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: need help with malware removal

Unread postby deltalima » August 1st, 2010, 4:03 pm

Hi bkeesing,

scann does not seem to start


OK, please try this alternative scan.

ESET online scannner

  • Please go Here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Re: need help with malware removal

Unread postby bkeesing » August 1st, 2010, 8:58 pm

ESET would not run on the effected computer,,followed your instructions and it opened a new screen, light blue in color but did not seem to do anything. Light blue page is totally blank except for a tiny white box woth a red x in the upper left corner of the page. Not sure if this is an issue,,,but at this point it appears that I have no Java running on that computer. Was instructed to delete previous versions of Java in preparation for the updated version that has refused to load.
bkeesing
Regular Member
 
Posts: 29
Joined: July 26th, 2010, 9:05 pm

Re: need help with malware removal

Unread postby deltalima » August 2nd, 2010, 5:01 am

Hi bkeesing,

Was instructed to delete previous versions of Java in preparation for the updated version that has refused to load.


Please run rkill.

Please download the Java install file to another computer and transfer via CD / pen drive to the affected computer and try to install that way.

Let me know if that works and if not what the exact error message is.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: need help with malware removal

Unread postby bkeesing » August 2nd, 2010, 12:24 pm

finally got Java to load on the affected computer, the Java test says its working now. Checked a movie clip on youtube and those still wont play,,, tried downloading an update to the inbedded player as suggested on the sire, but it returned a message that it could not find the site.

Prior to getting it installed I ran RKILL,,,there was nothing listed on the report.

Kaspersky online scanner is now working,,,running it now and will have a report when its done.
bkeesing
Regular Member
 
Posts: 29
Joined: July 26th, 2010, 9:05 pm

Re: need help with malware removal

Unread postby deltalima » August 2nd, 2010, 12:27 pm

OK thanks for letting me know, post when ready (the scan can take a long time).
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: need help with malware removal

Unread postby bkeesing » August 2nd, 2010, 5:42 pm

Here are the scan results from Kaspersky

KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, August 2, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 02, 2010 15:12:43
Records in database: 4162558


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics
Objects scanned 268913
Threats found 5
Infected objects found 6
Suspicious objects found 0
Scan duration 04:21:40

File name Threat Threats count
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan.HTML.Agent.dc 1

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\hQMy.exe Infected: Trojan.Win32.FakeAV.aw 1

C:\Program Files\Trend Micro\Antivirus\VSSBBR07.005 Infected: Trojan-Downloader.Win32.Agent.auv 1

C:\WINDOWS\Temp\jar_cache3301456097426842156.tmp Infected: Exploit.Java.Agent.bq 1

E:\I386\APPS\APP24087\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

E:\I386\APPS\APP24087\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

Selected area has been scanned.
bkeesing
Regular Member
 
Posts: 29
Joined: July 26th, 2010, 9:05 pm

Re: need help with malware removal

Unread postby deltalima » August 3rd, 2010, 3:43 am

Hi bkeesing,

We need to remove the viruses that Kaspersky detected.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :files
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\hQMy.exe
    C:\WINDOWS\Temp\jar_cache3301456097426842156.tmp
    :commands
    [EMPTYTEMP]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Outlook

There are infected emails in your Outlook storage file. Please check though your emails to see if there are any emails with attachments and delete any attachments that you do not recognise and cannot trust.

Once this is done then please empty deleted items and then compact the file File - Data File Management - highlight file - Settings - Compact Now.

Next run another Kaspersky scan. This may need to be done several times until the infected email can be eliminated.

These files

C:\Program Files\Trend Micro\Antivirus\VSSBBR07.005
E:\I386\APPS\APP24087\src\CompaqPresario_Spring06.exe
E:\I386\APPS\APP24087\src\HPPavillion_Spring06.exe


Are safe and do not need to be removed.

Please let me know how the computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: need help with malware removal

Unread postby bkeesing » August 3rd, 2010, 10:44 am

On the restart after running OLT,,, the windows screen (the one before the sign-in screen) opened for a few seconds, then went to a full screen of colored boxes, then a second pattern of colored small shapes,, the mouse is working, but it has stopped loading windows.
bkeesing
Regular Member
 
Posts: 29
Joined: July 26th, 2010, 9:05 pm

Re: need help with malware removal

Unread postby deltalima » August 3rd, 2010, 2:03 pm

Hi bkeesing,

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Please run a new scan with OTL and post the contents of OTL.TXT
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: need help with malware removal

Unread postby bkeesing » August 3rd, 2010, 2:28 pm

Was tapping F8 but it bypassed and went directly to a normal boot up,,,which worked normally, not sure what had happened. Below is the log for OLT from just before the re-boot. Do you still want another OLT scan run?



All processes killed
========== FILES ==========
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\hQMy.exe moved successfully.
C:\WINDOWS\Temp\jar_cache3301456097426842156.tmp moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41 bytes

User: HP_Administrator
->Temp folder emptied: 1179901689 bytes
->Temporary Internet Files folder emptied: 46120578 bytes
->Java cache emptied: 21766636 bytes
->Flash cache emptied: 364531 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 40551299 bytes
->Flash cache emptied: 5195 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 35595104 bytes
->Java cache emptied: 14 bytes
->Flash cache emptied: 21525 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 16913015 bytes
%systemroot%\System32\dllcache .tmp files removed: 17303040 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 132515951 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 64684810 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 194398 bytes

Total Files Cleaned = 1,484.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08032010_083347

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\HP_Administrator\Local Settings\Temp\hsperfdata_HP_Administrator\3964 not found!

Registry entries deleted on Reboot...
bkeesing
Regular Member
 
Posts: 29
Joined: July 26th, 2010, 9:05 pm

Re: need help with malware removal

Unread postby deltalima » August 3rd, 2010, 3:11 pm

Hi bkeesing,

Do you still want another OLT scan run?


No, that was to find what was stopping Windows from starting up.

Please continue with the previous instructions to clean up Outlook and then

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in a reply here.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: need help with malware removal

Unread postby bkeesing » August 3rd, 2010, 6:53 pm

OK, here is the report

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
!-->[Hidden] C:\Documents and Settings\All Users\Application Data\Real\setup\config.ini::$DATA
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006ECAE, Type: Inline - RelativeJump 0x80545CAE-->80545CB5 [ntkrnlpa.exe]
[268]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[268]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[268]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[268]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[268]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[268]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D931480-->00000000 [shimeng.dll]
[268]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
bkeesing
Regular Member
 
Posts: 29
Joined: July 26th, 2010, 9:05 pm

Re: need help with malware removal

Unread postby bkeesing » August 3rd, 2010, 7:01 pm

not sure why or if its important,,but on the rootkit unhooker program report it says at the end of the report:

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

but it was not on the report when I saved or sent it to you
bkeesing
Regular Member
 
Posts: 29
Joined: July 26th, 2010, 9:05 pm

Re: need help with malware removal

Unread postby deltalima » August 4th, 2010, 3:16 am

Hi bkeesing,

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

but it was not on the report when I saved or sent it to you


That's fine, the log looks good.

Please let me know how the computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: need help with malware removal

Unread postby bkeesing » August 4th, 2010, 11:39 am

Everything seems to be working normally,

I sincerely appreciate your work and patience. This is am amazing service you provide.
bkeesing
Regular Member
 
Posts: 29
Joined: July 26th, 2010, 9:05 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware