hello - several trojans - log files #1

Hello,

I have been here for help before, and now I am back...hahahaha

I have been having a ton of problems with my work pc, and I have followed your steps, can you please look at my log files and see if there is anything that I might have missied...I will post my MGlog.zip next

thanks

 

Re: hello - several trojans - log files #2

this is my MGlog.zip file...hope it is in the right place

 

Hi hmayhugh,
Welcome to Major Geeks!

I deleted your other thread. This is the right place, but you forgot to attach the logs. You may still be within the timeframe to edit your post. Go to advanced options and scroll down till you see the Manage Attachments button. The logs are located as a file, not a folder directly under C and have the name MGlogs.zip.

abri

 

repost mglog

I have tried again

 

Hi gmayhugh,

Ah... A repeat offender. If this is a work computer, why are there all those poker games on it? Those are like magnets for malware. I'm recommending in the instructions below that you remove them.

Before we start please delete as many files in the following two folders as Windows will allow you to delete. You will not be able to delete files from the current date.

C:\WINDOWS\Temp\
C:\Documents and Settings\gmayhugh\Local Settings\temp\


And now please continue as follows:


1) Please disable your guest account if this hasn't already been done.


2) Go to add/remove programs and uninstall the below:

Viewpoint Media Player
Java 2 Runtime Environment, SE v1.4.2_04
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Poker Wingman
PokerStars.net
Bodog Poker Version 2.13.6.4


3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment



5) Next I would like for you to stop some services:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to LiveUpdate Notice Service Ex
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Repeat the above instructions, but for LiveUpdate Notice Service
• Click OK until you get back to Windows.

6) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Documents and Settings\gmayhugh\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/games/gamehouse/ghplayer.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe


Do the need for the following program to load at startup? If not, please fix it as well.

O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"


After you click fix, just close hijackthis.



7) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DIRLOOK::
C:\WINDOWS\CSC

FILE::
C:\WINDOWS\BMe3b084d8.txt
C:\WINDOWS\BMe3b084d8.xml


REGISTRY::
[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


8) Now run CCleaner at the default setting with the Windows tab as the top one.

9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

ok - new log files after instructions

It is funny that you should ask about the poker software on my WORK machine...LOL....My boss and I play in a free roll every day

I followed your instructions and have attached a new combo / mg

the only thing I see that might be a problem is in my windows task manager...there is a jqs.exe that I have never seen before

If there is anything else I need to do please let me know

 

Hi gmayhugh,

In my last set of instructions in post 5 step 5, I forgot to give you the below service to end. O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

Please do the instructions in Post 5 Step 5 again, only this time look for Symantec Lic NetConnect and disable it.

Then go to C:\MGTools\analyse.exe and double click on analyse.exe. Have it Do a system scan and save a logfile and attach the log with your next post. When you do your next post, go to the Manage Attachments button and look for the log for analyse.exe under C:\ in the MGTools folder. The name of the log will be hijackthis.log.

Thanks.
abri

 

Hi gmayhugh,

While you're here, I want to add a step. I know it's a lot of fuss for one file, but I would like a backup.

Please use ComboFix as you did before.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILE::
C:\WINDOWS\Temp\mta112441.dll

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


Please attach the combofix log with your next post.

Have you and your boss tried cards and a kitty? :-D

abri

 

ok...did new instructions

ok...new HJlog, and new combofix log...

We mostly play on full tilt...I just wanted to try out a few other sites, I really got into Texas Hold'em before it was big...been playing for awhile and have won a little bit of money, but I mostly play free roles....

Let me know if you need me to do anything else

and thanks a bunch by the way....

 

this just popped up??

this popped up just as I sent my last post?

 

Hi gmayhugh,

Combofix continues to find the following entries, so we need to track them down and delete them manually:

-------\Legacy_AFINDING
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_WSERVING

Please do the following four registry searches:

Download Registry Search (see the link titled RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter AFINDING in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply. I'm not sure if they'll create a cumulative log. You may have to rename each file so they don't overwrite each other.

Then repeat it with:

PERFMONS
ROUTING
WSERVING

Attach the log or logs from the searches here.

abri

 

reg search log files

I ran the reg search for
afinding
perfmons
routing
wserving

there are 4 log files i will attach 2..then repost 2 more

 

last reg search log

hre is the last file from reg search

 

yes, I am still having problems

Sorry for the delay, long weekend - and I did not have access to my work machine, I was asked to send in some logs last Thursday, I have sent them and now I am waiting on what I nned to do next.

I still have some odd things running in my task manager in Windows XP:

CERWXFST.SYS
ATWTSB.EXE
JQS.EXE

I am just waitng to see what I need to do next, but yes I am still having problems

 

I have attached a new log

I did this log a few minutes ago, I have attched it, and as for the files running ...that I can see in my task manager...

afinding.exe and a few other are related to my problems, I have a hard time getting access to my mail, and I keep getting "sound" ads that just seem to pop up out of no where.

When I reboot, or boot up in the mornings all kinds of things go on...lags, slow network access.

thanks for your help

 

ok, latest files

I followed your instructions and have generated 2 new files....

Note:

When I drag the file over top Combo-fix, it reg. and error, but goes on with what it is doing...it says not installed or something but it goes through its process and everything - even reboots

I am leaving work in about an hour and I may not beable to get bakc to you, but I will in the morning...ok

thanks for all your help

 

thanks for all your help

I will let you know how things go...again thanks for all your help