run removal tools / combofix - Logs for analysis help please

I've followed the suggested methods for removing malware and viruses. Had vundo and a bunch of other junk. Analyzed hjt and removed everything per the hjt guide. I've attached mg log file for further suggestions. Thank you in advance for the help.

 

Hi v2ladimyr,
Welcome to Major Geeks!

Please attach the other logs requested in the READ & RUN ME FIRST. You're missing the logs for Combofix, MalwareBytes and SuperAntiSpyware.

Thanks.
abri

 

Additional logs as requested.

Thanks!

 

Hi v2ladimyr,

It looks like you have two antivirus programs running, which is not only bad for your computer, but it renders both ineffective. Since AVG8 seems to be the more current, please uninstall all the Symantec. If you are using Symantec for anything other than security, you will need to be able to reinstall those parts you need, because the following tools will remove all of their files. When you run the Norton Removal Tool, please run it twice and reboot your computer after each time.

Removing Files from Norton Antivirus Quarantine

Norton Removal Tool (SymNRT)



After you complete the above, please continue as follows:


Please do the following:

Next please download Registry Search (see the link titled RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter CLBDRIVER in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
khfEUnMG
qfeF8
yrqwqdkx
vtUomlll

FILE::
C:\Temp\itmp4
C:\WINDOWS\qfeF8.tmp
C:\WINDOWS\system32\yrqwqdkx.dll
C:\WINDOWS\system32\vtUomlll.dll

REGISTRY::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfEUnMG]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5604ac28-75b1-460e-be9f-dab5358ae9df}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9785D4DF-4819-441D-980B-235D1627C76A}]

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.




Now run CCleaner at the default setting with the Windows tab as the top one.

And finally, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log and the RegSearch.


Let me know how things are running now?

abri

 

Removed AVG, nav is our corporate AV. Attaching the logs as you've requested.

 

Hi v2ladimyr,


1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

After you click fix, just close hijackthis.

3) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DIRLOOK::
C:\WINDOWS\system32\drivex
C:\WINDOWS\system32\drivers\Avg(2)
C:\Program Files\AVG(2)
C:\Documents and Settings\All Users\Application Data\Avg8
C:\Documents and Settings\All Users\Application Data\avg8(2)

FILELOOK::
C:\WINDOWS\x

FILE::
C:\Documents and Settings\darren\Local Settings\Temp\avg8inst.log
C:\Documents and Settings\darren\Local Settings\Temp\GLC27.tmp
C:\Documents and Settings\darren\Local Settings\Temp\GLK28.tmp
C:\Documents and Settings\darren\Local Settings\Temp\jusched.log
C:\Documents and Settings\darren\Local Settings\Temp\setup.exe
C:\WINDOWS\BM03ce9c1c.txt
C:\WINDOWS\PWMBTHLP.EXE

REGISTRY::
[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


4) Now run CCleaner at the default setting with the Windows tab as the top one.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

System has been running fine. Prior to this most recent set of instructions Kaspersky online was still detecting a trojan in a c:/outlook data/backup.pst, so I am deleting that file as well. Here are the logs after your suggestions.

Thank you again for the help.

 

Hi v2ladimyr,

Please create a new restore point. If you've never created a new restore point, it is done as follows:
Go to Start / All Programs / Accessories / System Tools / System Restore
check the box to create a new restore point and click next
Put in the title you want like before deleting folders and click on okay. It takes a moment to complete.

Then delete the following folders. Make sure the first one is empty.

C:\WINDOWS\system32\drivex
C:\WINDOWS\system32\drivers\Avg(2)
C:\Program Files\AVG(2)
C:\Documents and Settings\All Users\Application Data\Avg8
C:\Documents and Settings\All Users\Application Data\avg8(2)

After you finish, please run CCleaner and reboot. See how your computer is working. If everything seems okay, please go ahead with the final cleanup instructions in the box below:

If you want to keep HijackThis (analyse.exe), then please skip the step which asks you to remove HijackThis via add/remove programs and see the extra instructions in gray at the bottom of the box.

abri