Followed all READ AND RUN ME FIRST steps-still bothered after Trojan infection

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

I take it you ran scans on this affected account?

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode

Please disable Spybot's TeaTimer.

How to disable Spybot's TeaTimer

Uninstall the below outdated versions of Java.

• J2SE Runtime Environment 5.0 Update 6
• Java(TM) 6 Update 12
• Java(TM) 6 Update 5
• Java(TM) 6 Update 7

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Optional to fix to free up resources

After clicking Fix exit HJT.


If you do not know what these are then please delete them.

• c:\program files\276k9w4c.exe
• c:\program files\ng5a4nta.exe

Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Hmm i did not see in the logs what spybot is referencing. As I had previously asked, are you indeed running scans on the account that is affected? If not, you need to. But follow my previous instructions first.

 

If the "Col" account is where the trouble is happening (which clearly it is by your screenshot and the file path you gave, then you need to be running all the scans from scratch on THAT account.

 

The logs you just attached are still from the user account named "bo" . You need to provide logs from the "col" user account if you wish to fix the problems occurring on it. You don't need to identify any processes or DLLs. Once you attach the proper logs, we should be able to tell you what to do to remove the problem. All you need to do is run MGtools affter logging into the col account and you should have logged out of the other user account first. You may need to change col to an admin account to run MGtools properly.

 

Yes but that makes everything run as "bo" which is what I see in the logs. Just make a temporary change to col's permissions and then log into that account and run MGtools. You only need to run MGtools for now and attach the new log.

 

It looks like you ran the scans on the "bo" account again!

• Admin
• Administrator
• bo
• col <--- You need to be using this account and running scans on this account!
• gin
• Guest
• HelpAssistant (Disabled)
• SUPPORT_388945a0 (Disabled)
• tu

 

Ahh, thanks Chas. Didn't see your post until just.

 

Normal mode. Yes please!

 

Just MGtools is all you need to do to start. This will only take 5 to 10 minutes max.

 

NOOO! See my last few messages!!! Only MGtools and it will be a few minutes

 

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Then delete this file if it exists, but I suspect it may not.

C:\Documents and Settings\col\Local Settings\Application Data\ovifohav.dll

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

How are things running now?

 

Uninstall these outdated versions of java

• Java(TM) 6 Update 5
• Java(TM) 6 Update 7

But keep 6.23 as it is current.

You're welcome.

We use alot of reg patches, maybe to kill off a reg key or a value, or if available we will use combofix or avenger to do the same job.

It was obviously there at some point, however perhaps some software like spybot was used to prevent it from running or perhaps someone had used MSCONFIG to control the bad start up. It was trapped anyway, and now it has gone.

What change?

Because from the screenshot you gave and the file path you provided revealed it was in the Col account!

Ooooh good question. But the answer is going to be vague. Fact is, the best antivirus out there is the person at the keyboard.

I will list final steps for you to follow soon.

At the end of each of my posts is a couple links. We do not accept donations but lots of cool geekwear to look at!

No need for PM's. We would rather it be out in the open in the forum if it is regarding anything technical. That way everyone benefits. The restriction on not being able to send PM's until after 50 posts has been made is a bit of a precaution.

Yes! So do I, I am not seeing anything else to deal with.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Ah!! Way before my time then!

There is indeed a Software Forum you can post in and ask questions relating to what you mentioned.

Never through MSCONFIG. Anything other than normal mode is primarily only used for troubleshooting and diagnostic purposes. If you wish to control start up's I would suggest you use something such as Start Up CPL

Try taking a look at the below links.

Windows registry information for advanced users
How to add, modify, or delete registry subkeys and values by using a registration entries
Windows Registry
Registry Hives

Most welcome.

 

I also refer you to step 4 of the READ & RUN ME again.