Boot time scan and Fun Web/ Fun Cards

[JENT1701]

Ok, had her do that exactly. Unfortunately it did not produce a log. Drat!  It just prompted for a restart. She restarted in Normal Windows, but it's still real slow booting up, so I had her go back to safe mode. Is there anyway to retrieve the log like in MBAM? Should we try the fix again?  Thanks for your time.

[essexboy]

I really need to work from normal mode as that is where I have the best chance of seeing what is wrong - so lets get the big boy on the job

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[JENT1701]

Uh oh, this sounds like business. She is out right now, but I will run through it and show her how to do it when she returns. It does seem logical that we get it goin in normal mode since that is where the problem lies. Otherwise it flies in Safe mode. I think we can get it goin, it's just gonna be stubborn. Thanks for your help.

[essexboy]

If necessary then run combofix from safe mode with networking that should relieve the pressure on normal mode, but obviously it would be prefereable to run from normal mode

[JENT1701]

Understood. Thanks

[JENT1701]

Okay this is where we stand. Got her to download and run combofix. Had to do it in Safe Mode. Computer was completely locked in Normal mode. (I attached the log). Restarted the computer in normal mode and it was still locked. This time as a hunch I had her fire up Task manager. Right away she pointed out that Avast was using up 100% CPU. (She mentioned that it wasn't responding much when she tried to disable it for OTS and Combofix downloads). Couldn't get it to close in Task Manager, so we restarted in Safe Mode. Checked Task Manager. No Avast Running. CPU at around 2-15%. Fired up Control Panel, Add/Remove Programs and removed Avast completely. Restarted in normal mode and the Windows startup chime never sounded so good!Woo! Hoo! Finally!!! After that I had her reinstall Avast. Wasn't much more I could think of to do until I talked to you, but I did have her run another Full Scan with MBAM in normal mode and told her to call it a night. The computer is doin good now, but I want to make sure it stays that way.
       Also as posted by SafeSurf "When we are all done with the malware removal and then removing tools from the machine, we will need to update some software on the machine that is outdated as well, but we will instruct you how to do this and cannot do it now."  I really want to get all the bugs out as much as possible. This is for a good friend and a great person. It's 2:47AM here and I'm gonna get some well deserved rest. Thanks again for all your help so far.

[JENT1701]

Oh yea, one other thing. I practiced downloading and running some of these tools on my own machines so I could tell my friend how to use them. I found a few bugs and even a rootkit hiding in my laptop, so I am very thankful to you for that as well. I may need to start a thread or two on those if necessary.

[Pondus]

Just adding this: Malwarebytes can have up to 10 updates on a day, so always click the update button so you have latest signatures before you scan  (pro version will auto update)

[JENT1701]

Wow! Thanks 

[Pondus]

If you open Malwarebytes > settings > warn if database is outdated > and sett this to 1 day (default is 7)
then you will get a prompt for update if database is older then one day

[JENT1701]

Took care of that thanks.

[JENT1701]

When we are all done with the malware removal and then removing tools from the machine, we will need to update some software on the machine that is outdated as well, but we will instruct you how to do this and cannot do it now.

Let us know if you have any questions.  Thank you.

I was wondering if you could help me with that outdated software issue. I thought I had everything up to date. Thanks, Jon

[SafeSurf]

When we are all done with the malware removal and then removing tools from the machine, we will need to update some software on the machine that is outdated as well, but we will instruct you how to do this and cannot do it now.

Let us know if you have any questions.  Thank you.

I was wondering if you could help me with that outdated software issue. I thought I had everything up to date. Thanks, Jon

I need Essexboy to give me the OK on your Combofix first, then remove his tools from the machine (he will give you instructions on how to do this).  Then while having your friend use the machine normally, I will give you some tips and help you with the updating.  Essexboy will also give you some suggestions for keeping safe in the future.  Thanks.

[JENT1701]

Ok, thanks. I just reviewed my earlier posts and remembered that we never got a log from Combofix, probably due to the earlier problems. I would guess that I should have her run it again in Normal mode and hopefully it will provide a log this time so that we will know where to go from here. So far the other malware programs have come up clean in their scans. Thanks again.

[essexboy]

Sorry did not get notified for this

One further driver to remove and then you should be good to go

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\drivers\egmenb.sys

Driver::
krjb

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt .