Please help with malware removal

Welcome to Major Geeks!

You should NEVER attempt to uninstall Internet Explore (which is not the same thing as Explorer). You need Internet Explorer or you will not be able to get all of your Windows Updates and will not be able to access many websites that require it. Attempting to uninstall could break your ability to get updates.

Uninstalling these programs would not help you anyway. The infections are the source of your problems and the infections need to be removed, not IE or FireFox. Your Windows Operating System files are infected and this can be problematic to remove. The first thing you should do is backup important personal data since the act of trying to fix these kinds of infections could cause your PC to become unbootable. Do not backup any executable type file since they may be infected.

We will have to perform your fixes in stages to avoid make your PC unbootbable. So the below is only the first step. It is not a complete fix. From now on do not run anything except what we ask you to run. Do not download or install anything but what we request. Once we finish your malware removal you will be free to do what you wish.

You are way out of date with your version of SUPERAntiSpyware.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new full scan of your system. And attach this new log.

Now download this XPsp2bu.exe to your C:\ folder like MGtools was downloaded. Once you have it downloaded, just double click it to run it. It will extract some files we will need into your C:\MGtools folder. We will be using these in the next fix.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {FCE43167-3446-499F-A0DD-F7D0719B842B} - C:\WINDOWS\system32\bt2k_in.dll
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)

After clicking Fix, exit HJT.


Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome. Round two begins.

Did you purchase RegCure or do you have just the trial program which is totally useless.

I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O4 - HKLM\..\Run: [Fwuqogod] rundll32.exe "C:\WINDOWS\ojuxazexowal.dll",e
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Compaq_Owner\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Compaq_Owner\reader_s.exe (User 'Default user')

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp

Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Remember I did say this could happen.

Will it boot to Last Known Good Configuration?
Will it boot in safe mode?

During the installation of ComboFix, you installed the Recovery Console which appears on a menu when you start your PC. You just need to quickly select the recovery console but using your arrow keys and then press enter. Can you get into the Recover Console?

 

What happened? Recovery Console does not boot to Windows. It boots to a command prompt?

Yes.

 

All of the infected Windows system files we replaced with good copies were reinfected. Possible there are other infected files causing this or ComboFix was interferred with somehow by the infection. Try doing the below from Safe Boot mode.



Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You immediately became reinfected again. It may not be worth wasting anymore time on this. There are a few more things we could try but odds are the results would be the same. You have too many Windows system files and possibly other executable files that are infected and they are just reinfecting your system immediately.

Your safest and most reliable alternative is to reinstall from scratch.

 

If you wanted to use the Recovery Console, you would choose the C:\Windows selection since that is where you have Windows installed. However there is no sense in doing this since too many system files are infected anyway and we don't really know all of them and also you do not have a CD to even copy files from anyway.

You need to work with Someone over in the Software Forum who may be able to walk you thru reinstalling your PC from your HP Recovery Partition or from the Recovery CD/DVDs you should have made when you first setup your HP PC.