Did Malware R&R, Please see logs are attached.

Hello,
First off I want to say thank you for the extremely helpful forums and downloads!

My computer problems started at the end of April. At first my wallpaper would go blank and it would have a warning box "Warning!Your Computer is infected with Spyware!Help protect your computer and remove Spyware!Click here for more info" and then links sends me to a page prompting me to buy PC-Antispyware.
I would get periodical pop-ups saying "System Integrity Scan Wizard". Plus, multiple porn sites and different advertising pop-ups. I was able to remove those with the help of the forums, but now my computer is painfully slow. Please see my attached logs.
TIA!

 

Hi mrslcook!
Welcome to Major Geeks!

In case we're crossing paths, just wanted to ask you for the Combofix log as well. If you weren't able to run it, let me know. It takes awhile for us to look at the logs and set up instructions, so thanks for being patient.

abri

 

No, thank you.

Here is my combofix log. I just finally got it to run. I hope CF ran correctly, my Online Armor kept popping up.

Thanks again!

 

Hi mrslcook,


1) Please go to the following folder in Windows Explorer and delete any of the files in it that you are allowed to delete. Windows will not allow you to delete files from the current date.

C:\WINDOWS\Temp\
C:\Documents and Settings\Lydia Cook\Local Settings\Temp\


2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {9A950040-DCC5-464F-B91A-833B961C0FDA} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Policies\Explorer\Run: [5duan0MtQ5] C:\Documents and Settings\All Users.WINDOWS\Application Data\jqnkpgdm\nahgnqds.exe
O20 - Winlogon Notify: hgGaxxXr - hgGaxxXr.dll (file missing)

Do you need the following program? If not, please fix it as well.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://club.live.com/searchandgive.aspx?rp=26572&wa=wsignin1.0
O3 - Toolbar: Live Search Club Toolbar - {719D74AB-1AF9-43a1-8C62-D8750628D93E} - C:\Program Files\Live Search Club Toolbar\Toolbar.dll

After you click fix, just close hijackthis.


3) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DIRLOOK::

C:\d6bda716e93052f653aa213c0602a4

FILE::
C:\WINDOWS\system32\KmUxayxx.ini
C:\WINDOWS\system32\KmUxayxx.ini2
C:\WINDOWS\system32\pwnxtaqt.ini
C:\WINDOWS\system32\xyysrpra.ini
C:\Documents and Settings\All Users.WINDOWS\Application Data\jqnkpgdm\nahgnqds.exe
C:\Documents and Settings\Lydia Cook\Local Settings\Temporary Internet Files\Content.IE5\DSDJKHJZ\VundoFix[1].exe
C:\RECYCLER\S-1-5-21-796845957-1078145449-1343024091-1003\Dc43\WinCE Pocket PC AntiVirus    .EXE

FOLDER::
C:\Documents and Settings\All Users.WINDOWS\Application Data\jqnkpgdm

REGISTRY::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/cpbrkpie.ocx]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"5duan0MtQ5"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGaxxXr]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A950040-DCC5-464F-B91A-833B961C0FDA}]

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


4) Now run CCleaner at the default setting with the Windows tab as the top one.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger or Combofix log.


Let me know how things are running now?

abri

 

Hello,
Thank you for your help.

In reply to your post. You asked
Do you need the following program? If not, please fix it as well.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://club.live.com/searchandgive.a...&wa=wsignin1.0
O3 - Toolbar: Live Search Club Toolbar - {719D74AB-1AF9-43a1-8C62-D8750628D93E} - C:\Program Files\Live Search Club Toolbar\Toolbar.dll

Yes, this is a fundraising search engine for child's school.


I attached the logs you requested. My computer no longer seems to have any malware or other spyware type problems.

But:confused, I would like to ask if you can help me gain some of my computer's speed back. My start-up seems to take a long time ( I have not timed it) and just simple navigating between programs has slowed considerably. Even with cable internet, it seems slow going back and forth between pages. I have done MG's suggested tutorials & basic steps on computer maintenance and how to regain some of your computer's speed. I have to admit, I'm afraid to use CC to remove unneeded startups and have been told I have a lot of "stuff" running in the background. If you can help ( I know I can't get it back to brand-new speed) please instruct me on what I can do to assist you.

I sincerely thank you for your time and effort you've put out in assisting me.

 

Hi mrslcook,

I'm glad to hear things are better. Your logs are clean. CCleaner is not a good way to remove startup items, because it is permanent. In the final cleanup instructions, I'll ask you to remove all the tools and logs we had you put on your computer. I'll also show you how you can keep HijackThis which can be useful to remove startup items. By keeping the backup folder, you can restore these later if it turns out to be a mistake.

Below I will give you the final cleanup instructions in the first box and following that, I'll post some special instructions on how to manage startup items. This should help with some of your speed problems. I also encourage you to start a thread in either the Software or Hardware Forums where you can get more feedback on this.


To keep HijackThis (analyse.exe), please skip the step which asks you to remove HijackThis via add/remove programs and see the extra instructions in gray at the bottom of the box.