Core malware can't be removed

I've been trying to get rid of this problem, but have had no success. I believe my computer was infected with it on 1/31/08. Not exactly sure what I had done, but I noticed pop ups randomly popping up after some time.
I followed the guidelines and created some logs. Please help when possible. Thank you in advance, whoever will be available. =)

 

Hi Ramza!
Welcome to Major Geeks!

AVG Antispyware didn't run and neither did HijackThis. Please rerun AVG Antispyware, but this time, be sure to shut your computer down and unplug it from the internet. Reboot while it's still disconnected and disable any antivirus, antispyware and firewall programs you have running. When it runs, please have it fix everything it finds.

For HijackThis, please do the following. Go to the folder C:\MGTools (or the directory where your operating system is located if it's not under C) and look in this folder for the program called analyse.exe. Double click on this program and select "Do a system scan and save a log file". Allow it to run and then attach the log to your next post. The log will be called HijackThis.log and I think it will either be in the MGTools folder or directly under C:\

Be sure that your antivirus, antispyware and firewalls are connected before you reconnect your computer to the internet. This should occur automatically when you reboot. If not, just reenable them manually.

Thanks very much.
abri

 

Thank you for taking the time to help. I did run AVG Anti-spyware, but it didn't save a log the first time I ran it. Here are the two logs that were left out the last time.

 

Hi Ramza!

Please do the following. If something doesn't work, please continue. Attach your results at the end and let us know how things are working.


1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After you click fix, just close hijackthis.

2) Install the current version of Sun Java from: Sun Java Runtime Environment

3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

4) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Ok I did everything that you had said to do. Here are the logs and so far so good. Thank you very much for the help. Hopefully everything is fine. Thanks again!
One more question, there's a folder named QooBox, it appears to be the folder Combofix dumped quarantined files into. Is it safe to delete?

 

Hi Ramza,
Please run Avenger again as in post 4 only this time use the contents of this box:

Other than that, your logs look good. The Qoobox will be deleted with our final instructions:

• 
  
  abri

 

Thanks for the help! Here's the avenger log. Everything's working fine now. I really appreciate the time you have spent on helping me with this problem. Thanks again!

 

You're welcome!
The Avenger log looks good.
Happy and safe surfing!
abri