Friend has possible Malware etc, need your help....

Please attach the requested log from SUPERAntispyware.

By the way, a repartitioning with a format and reinstall will clean the PC. If you just reinstall over your current installation, that will not clean the PC.

ComboFix did show that it delete this worm: http://www.sophos.com/security/analyses/w32rbotgv.html

I do want to see what SUPERAntispyware finds and removes before we go any further.

Please uninstall SpywareBot if still installed.

Also uninstall the Java 6 update 3 version as requested in the READ ME and install the current version from the given link.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp\
C:\Documents and Settings\TayLoR\Local Settings\Temp

 

What is the below file? This is a strange way to name a file.

Code:

"C:\Documents and Settings\TayLoR\My Documents\"
lskmv_~1.wps  10 Feb 2008        9728  "lskmv;lkmv.wps"

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Goto Add/Remove programs and uninstall BearShare. This was requested in step 1 of the READ ME.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

Is the below really used? If not, have HijackThis fix it too. Things like this are a waste of resources to always be loading.
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

After clicking Fix, exit HJT.

Now reboot. After reboot, delete the below folders if found:
C:\Documents and Settings\TayLoR\Application Data\BearShare
C:\Documents and Settings\All Users\Application Data\Kontiki
C:\Program Files\BearShare Applications
C:\Program Files\Kontiki

Also delete the below file.
C:\WINDOWS\system32\HFX75.tmp


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

Not sure how he missed it, but the below one is still there based on the logs:

C:\Program Files\BearShare Applications

That was just something I forgot to remove. I was going to have you use it to delete files and folders but since they were not the kind that are that problematic to remove, I just had you do it manually and I forgot to remove the request for the Avenger log.

The logs are now clean other then the mentioned folder above.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the /U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!