HELP!! I cant remove the virus I have. I cant find it either :(

Welcome to Majorgeeks!


As you likely already know is that malware is a massive pest these days and does its level best to hide itself in any number of places, So just a Hijackthis log will not show all the malware that can be on your PC, the full guide of our steps below has a few other logs that show alot of the malware on your PC and where they are located, if your having issues downloading the required software on th einfected PC, yes do use another PC to download the software and transfer to the infected PC to install and run.


Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide plus a guide on how to attach the logs HOW TO: Attach Items To Your Post

 

You need to follow our instructions exactly!! You did not download ComboFix from our link and are thus using and old out of date copy. Please download the correct version and run it exactly as requested and attach a new log.

Also explain your problems with MGtools and did you check to see if you are receiving any of the error messages mentioned on the Using MGtools link in the READ ME?

 

Not according to your log! You do not have the correct version. Please download the version given in the READ ME and save it to your Desktop as cf.exe Then run it using the instructions in the READ ME.

Nothing appears in the command prompt window at all??

Please do this, click Start, Run and enter cmd and click OK. This will open a command prompt window. In the command prompt window, enter the below commands each followed by the enter key. Note there is a space after the cd

cd \MGtools
GetLogs.bat

Now tell me what you see and if you get any error messages. Make sure you wait for this to finish running if you see things appearing in the command prompt window. It typically can take anywhere from 1 minute to 5 minutes to run depending on PC speed, if you allow it to run without doing anything else, and how many files and folders on your PC

No! I need all the logs to tell you that.

 

So why did you say you used the correct one? We need the correct one to run as it is much much much better than what you are running now. You need to delete the old one as it is not effective enough to keep around. What exactly happens when you run it and did you rename it and run it EXACTLY as requested from the Start, Run box? Please try it again but try from safe boot mode?

 

It cannot find what? At which command did you receive a message. It is not C:/MGtools it is C:\MGtools.

That does not mean you are clean. The particular infections you had can scatter lots of files all over your PC and that is what we are trying to look for using the logs from MGtools and the correct ComboFix log.

 

If you open Windows Explorer (right click Start and select Explore), do you see the C:\MGtools folder and also the C:\MGtools.exe file.

Did you try safe boot mode and what exactly happens?

 

Okay let's continue by fixing some of the malware I could see thus far and see if this helps us to get any further.

In step one of the READ ME, there were the below instructons which appears you did not do because I see at least one old version of Sun Java running. Please do these steps now and make sure you click the link that says Updating Sun Java to see a list of old versions. The current version is Java(TM) 6 Update 5

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Then you did not enter the commands in the command prompt window properly.

You are supposed to say yes!

 

That's closer but I believe you ran the wrong BAT file. You need to run GetLogs.bat
It looks like you ran GetUnKey.bat because that is the only log in the MGlogs.zip file.

 

Yes! If often finds things that other scans will not find. But right now it is really important that you get a complete MGlogs.zip file by running Getlogs.bat as requested.

 

Then you must be getting error in the command prompt window because only 1 out of 5 logs is in the MGlogs.zip file.

As I said before we need all of the logs to know. But based on what I have seen thus far and the problems that you are having running the scans, I would say you still have problems.


Did the fixME.reg patch get added in successfully?

Did you retry combofix and click yes to the statement about 1/100 disinfections failing?

 

That is just one of the scans the GetLogs.bat will call. You must make sure that you wait until all scans complete. The instructions in the READ ME gave you a snapshot of what it looks like when finished. See the snapshot in here: Using MGtools

 

Yes!

You are not supposed to be clicking on anything in the MGlogs.zip file. It is only a ZIP file containing logs.

 

GetUnKey is the first scan it runs. The next scan is TrendMicro's HijackThis which is renamed to analyse.exe and you can see this file in the C:\MGtools folder. Are you clicking on the Accept button (actually need to click twice) to agree to TrendMicro's License agreement. This is required the only the first time the tool is run.

After HijackThis comes, GetRunKey.bat, ShowNew.bat and processdll.exe

 

I can't! You are still infected which is why you got that message about the dll file. Why did you run MGtools in safe boot mode? I really need the logs to be from normal boot mode to properly check everything. I may not be able to give you a proper fix due to this. Make sure you do ALL of the below from normal boot mode.

Uninstall Viewpoint Media Player as requested in step 1 of the READ ME.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I asked for a new MGlogs.zip file not a HijackThis log.

 

You are not supposed to be clicking MGlogs.zip. I said double click C:\MGtools\GetLogs.bat

 

As I previously stated, that is only the first thing it runs. Just let it run. If GetLogs.bat does not work then how did you get the complete log you attached in message # 33?? If you cannot manage to do this then just re-run MGtools.exe again and DO NOT stop it from running until it finishes and it tells you to close the window.

 

Are you actually having any malware problems anymore?

 

I did not ask if you had any malware on your PC. I asked are you having any malware problems. Any strange behavior that could be associated with malware.

Yes but since you do not seem to be able to get the final logs for us, there is not much else I can do then what has already been done. The logs you last HJT log attached did not show any problems and Avenger removed what I asked it to removed. Thus things should be okay.

Thus, if you are not having any other malware problems, it is time to do our final steps:

1. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\cf" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\cf folder from combofix.
2. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
3. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had you run Avenger, you can delete all files related to Avenger now.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!