Malware Removal

Please attach the logs from the first run of SAS and MalwareBytes.

In the meantime:

Use add/remove programs to uninstall:
J2SE Runtime Environment 5.0 Update 3"
Java(TM) 6 Update 3"
Java(TM) 6 Update 5
Messenger Plus! Live --typical cause of a LOP infection.

* Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
* On the page that opens, scroll down to Boonty Games
* then right click the entry, select Properties and press Stop Service.
* When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
* Click OK until you get back to Windows.

* Next, run C:\MGtools\analyse.exe, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
* At the lower right, click on the Config button
* Then click the Misc tools button
* Select Delete an NT Service
* Copy/paste Boonty Games into the box that opens, and press OK
* If you receive any error messages just ignore them and continue.
* Now exit HJT.

Find and delete:
C:\Program Files\temp01

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now reboot and install:
Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file and the SAS and MWB logs.

 

You did not do what I asked you to do about the logs:

 

The instructions in the Read and Run sticky were written for a purpose ---> they work if followed correctly.

Please move MGTools.exe to the root of the C: drive ( C:\MGTools.exe) not where you put it: C:\Documents and Settings\Danny\My Documents\MGtools.exe.

Then run it until it tells you it is finished -> you are lacking a few reports in the MGLogs.zip.

You also did not uninstall Messenger Plus! Live.

 

Move MGTools to the C: drive where I specified it to go.

Uninstall Messenger Plus! Live

Then run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

 

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\%username%\Local Settings\Temp

Now go to Bitscan link: agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

Click-on the Detected Problems tab. Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger and Bitscan.

 

I would suggest that you scan any downloaded media from Limewire and any other torrent you use.

Bitscan could not remove these items so lets see if avenger can:

* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run SpyBot and attach that log along with the avenger log...and also tell me what the PID number is for the iexplorer in task manager.

 

We can reset your clock...ComboFix changed it. When you run spybot it produces a log for you....save it to the desktop as a txt file and attach it to the next reply. That PID number does not look right....are you sure that is the PID number and not the usage amount?

 

I'm in and out....so just attach the logs when you have the opportunity to do so.

 

What is your question about your anti-virus? Are you talking about the program or just the time setting that may be next to your AV icon in the system tray?

You can reset that by going to the control panel / Regional and Language / customize / time tab and changing it to the format you prefer.

 

Try using add/remove programs and uninstall Avast...reboot and run CCleaner and then download and install Avast again.

I don't recognize that PID number. It may be Avast or a firewall being active.

 

What browser are you using? And is this process using memory when you are not on the internet at all....IE physically unplugged?

 

If it wasn't running...IE7 wouldn't open. It is a legitimate system file/process.
Have you cleaned out your temp internet files?

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

 

When you are running Internet Explorer...that process is going to run....end the task in task manager and see. What exactly are you worried about?

 

Will you please believe me that it is a system file and the process in task manager is just showing that you are using Internet Explorer!! Leave it alone.

 

No it is not weird...having more pages means you are using more system resources...but if you would rather reformat, that is your call.

This is no longer a malware issue.

 

You should not have a file named explorer.exe in this folder. Delete the below file:

C:\Program Files\Internet Explorer\explore.exe

This file appears to just be a copy of iexplore.exe which is Internet Explorer. The real explorer.exe is in your C:\Windows folder and is signifcantly larger.